Re: [B.A.T.M.A.N.] [PATCH] alfred: Drop capabilities when not needed

public inbox for b.a.t.m.a.n@lists.open-mesh.org
 help / color / mirror / Atom feed

From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: MK <mailing.m1@kkk-web.de>
Subject: Re: [B.A.T.M.A.N.] [PATCH] alfred: Drop capabilities when not needed
Date: Thu, 05 Mar 2015 09:05:49 +0100	[thread overview]
Message-ID: <4125628.0zdKZFIalx@bentobox> (raw)
In-Reply-To: <mct705$mdf$1@ger.gmane.org>

Hi,

Please Cc me when you want an answer from me (I am not subscribed to this 
mailing list). I just found this mail by pure luck.

On Saturday 28 February 2015 21:04:19 MK wrote:
> Thanks for the patch. Setup seems to be still working. How can I verify that
> privileges really dropped?

The privileges of a process can be found in

$ cat /proc/`pidof alfred`/status

The active capabilities are CapEff. The capabilities the process can request 
can be found in CapPrm.

> There are further questions:
> 
> Is _read_ access for the alfred user (resp. group) sufficient in
> /sys/kernel/debug/batman_adv/* ?
> Or is write access on the socket file in this directory mandatory for full
> functionality?

The process needs to access the path and read the files. For example my system 
allows read of this files by default BUT disallows non-root access to 
/sys/kernel/debug

$ ls -ltrd /sys/kernel/debug
drwx------ 27 root root 0 Mar  2 18:58 /sys/kernel/debug

I would have to allow other users o+rx access to this path before being able 
to access the batman-adv files:

$ cat /sys/kernel/debug/batman_adv/bat0/originators
cat: /sys/kernel/debug/batman_adv/bat0/originators: Permission denied
$ sudo chmod o+rx /sys/kernel/debug
$ cat /sys/kernel/debug/batman_adv/bat0/originators
[B.A.T.M.A.N. adv 2014.3.0, MainIF/MAC: eth0/XX:XX:XX:XX:XX:XX (bat0 
BATMAN_IV)]
  Originator      last-seen (#/255)           Nexthop [outgoingIF]:   
Potential nexthops ...
No batman nodes in range ...

!!!! WARNING !!!!
I don't recommend to grant all users access to /sys/kernel/debug.

Kind regards,
	Sven

next prev parent reply	other threads:[~2015-03-05  8:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-23 19:18 [B.A.T.M.A.N.] [PATCH] alfred: Drop capabilities when not needed Sven Eckelmann
2015-02-28 20:04 ` MK
2015-02-28 22:36   ` Simon Wunderlich
2015-03-05  8:05   ` Sven Eckelmann [this message]
2015-03-11 12:07 ` Simon Wunderlich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4125628.0zdKZFIalx@bentobox \
    --to=sven@narfation.org \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    --cc=mailing.m1@kkk-web.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox