From: Stephen Smalley <sds@tycho.nsa.gov>
To: Laurent Bigonville <bigon@debian.org>,
Daniel J Walsh <dwalsh@redhat.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: newrole not working when built with LSPP_PRIV=y
Date: Thu, 1 Oct 2015 14:36:13 -0400 [thread overview]
Message-ID: <560D7D1D.3020906@tycho.nsa.gov> (raw)
In-Reply-To: <560CE5E5.9030405@debian.org>
On 10/01/2015 03:51 AM, Laurent Bigonville wrote:
>
>
> Le 29/09/15 21:35, Stephen Smalley a écrit :
>> On 09/26/2015 09:10 PM, Laurent Bigonville wrote:
>>> [...]
>>>
>>> The patch seems to break an other thing, it Fedora the newrole
>>> executable is not setuid root, but it is granted a bunch of capabilities
>>> explicitly, if I setuid this executable instead of granting these
>>> capabilities, I get yet an other error:
>>>
>>> Sorry, newrole failed to drop capabilities: Operation not permitted
>>>
>>> So I guess something need to be fixed here.
>>
>> Yes, the current code just seems to be wrong here. The setresuid()
>> call will drop all capabilities if newrole is setuid-root and the
>> caller is non-root, so it will end up dropping all capabilities
>> immediately. Then the attempt to further set the capabilities will
>> fail (as above), as will any subsequent privileged operations. As
>> currently written, this can only work if not setuid-root and using
>> file-caps. And in that case, the setresuid() call doesn't make sense.
>>
>> Dan?
>
> Apparently libcapng has a capng_change_id(3) function that can be used
> to "change the credentials retaining capabilities".
If you just delete the setresuid() call entirely from the
NAMESPACE_PRIV=y drop_capabilities() function, then it works (on top of
the Fedora patch you cited). That function wasn't supposed to be doing
setresuid() in the first place; that is deferred to
transition_to_caller_uid(), _after_ pam_namespace has run. I'm guessing
that pam_namespace is broken in Fedora.
Note that the Fedora patch you cited has at least one bug; it reverts an
upstream fix to open stdin read/write to avoid breaking programs like
tmux that assume that if stdin is a tty, then it can be both read and
written.
prev parent reply other threads:[~2015-10-01 18:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-27 1:10 newrole not working when built with LSPP_PRIV=y Laurent Bigonville
2015-09-29 19:35 ` Stephen Smalley
2015-10-01 7:51 ` Laurent Bigonville
2015-10-01 18:36 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=560D7D1D.3020906@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=bigon@debian.org \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.