From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Kazantsev Subject: POSIX CAP_DAC_READ_SEARCH doesn't bypass file read permissions? Date: Sat, 26 Dec 2009 23:30:12 +0500 Message-ID: <20091226233012.38d67cf5@coercion> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/IowyVvLHUVi6wOvnkxZm96Y"; protocol="application/pgp-signature" To: linux-fsdevel@vger.kernel.org Return-path: Received: from lo.gmane.org ([80.91.229.12]:50767 "EHLO lo.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752893AbZLZSfL (ORCPT ); Sat, 26 Dec 2009 13:35:11 -0500 Received: from list by lo.gmane.org with local (Exim 4.50) id 1NObTm-000099-HB for linux-fsdevel@vger.kernel.org; Sat, 26 Dec 2009 19:35:06 +0100 Received: from 91.191.238.58 ([91.191.238.58]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 26 Dec 2009 19:35:06 +0100 Received: from mk.fraggod by 91.191.238.58 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 26 Dec 2009 19:35:06 +0100 Sender: linux-fsdevel-owner@vger.kernel.org List-ID: --Sig_/IowyVvLHUVi6wOvnkxZm96Y Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Good day. I'm not sure if it's the right list, but I believe the checks I'm bumping against should be done in filesystem code. I haven't used POSIX capabilities until now, and is trying to solve classical backup case, when rsync process need to read whole fs, yet I don't want to give it any extra privileges or root-level access to everything. CAP_DAC_READ_SEARCH seem to be well-suited and sufficient for the task, according to docs: Bypass file read permission checks and directory read and execute permission checks. I can see it bypassing directory checks, but it fails to bypass file permission check. For example, following code fails with "Capability: 1, Error: Permission denied" on any file with 0000 permissions or, for example, "/root/test1" file with 700 permissions, while succeeding for "/root/test2" file with 755, with "/root" path having 700 mode and uid of test-user is non-root. Getcap of a binary gives "=3D cap_dac_read_search+eip", which is consistent with capng_have_capability result. #include #include =20 #include #include #include =20 #include =20 int main(int argc, char **argv) { =20 printf( "Capability: %d, ", capng_have_capability(CAPNG_EFFECTIVE, CAP_DAC_READ_SEARCH) ); =20 int fd; if ((fd =3D open(argv[1], O_RDONLY)) =3D=3D -1) { printf("Error: %s\n", (char*) strerror(errno)); return(1); } else { close(fd); return(0); } =20 }; I've tried this code with the same result for ext4, reiserfs and xfs. CAP_DAC_OVERRIDE works for bypassing any permissions, but it's not quite what I need. Kernel is 2.6.32.2, with CONFIG_SECURITY_FILE_CAPABILITIES=3Dy and security labels enabled for all filesystems that support them. So, now I'm puzzled: is that a normal behavior for this capability? Am I doing something wrong? Is there a bug in documentation, or prehaps I misinterpreted it? Thanks in advance for shedding any light on this mystery. --=20 Mike Kazantsev // fraggod.net --Sig_/IowyVvLHUVi6wOvnkxZm96Y Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) iEYEARECAAYFAks2VjoACgkQASbOZpzyXnHyGACgteGzmNW4WnwyZ9xyO1JS4kxo bDAAn0B25W63vy27I1qlWzvs3FW6H34o =J3pT -----END PGP SIGNATURE----- --Sig_/IowyVvLHUVi6wOvnkxZm96Y--