From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: POSIX CAP_DAC_READ_SEARCH doesn't bypass file read permissions? Date: Sun, 27 Dec 2009 16:06:10 -0600 Message-ID: <20091227220610.GA19083@us.ibm.com> References: <20091226233012.38d67cf5@coercion> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-fsdevel@vger.kernel.org To: Mike Kazantsev Return-path: Received: from e8.ny.us.ibm.com ([32.97.182.138]:45251 "EHLO e8.ny.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750947AbZL0WGI (ORCPT ); Sun, 27 Dec 2009 17:06:08 -0500 Received: from d01relay06.pok.ibm.com (d01relay06.pok.ibm.com [9.56.227.116]) by e8.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nBRM0bHo015039 for ; Sun, 27 Dec 2009 17:00:37 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay06.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nBRM67Bk1908784 for ; Sun, 27 Dec 2009 17:06:07 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nBRM66A2006034 for ; Sun, 27 Dec 2009 17:06:06 -0500 Content-Disposition: inline In-Reply-To: <20091226233012.38d67cf5@coercion> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Quoting Mike Kazantsev (mk.fraggod@gmail.com): > > Good day. > > > I'm not sure if it's the right list, but I believe the checks I'm > bumping against should be done in filesystem code. > > > I haven't used POSIX capabilities until now, and is trying to solve > classical backup case, when rsync process need to read whole fs, yet I > don't want to give it any extra privileges or root-level access to > everything. > > CAP_DAC_READ_SEARCH seem to be well-suited and sufficient for the task, > according to docs: > > Bypass file read permission checks and directory read and execute > permission checks. > > > I can see it bypassing directory checks, but it fails to bypass file > permission check. > > For example, following code fails with "Capability: 1, Error: Permission > denied" on any file with 0000 permissions or, for example, > "/root/test1" file with 700 permissions, while succeeding for > "/root/test2" file with 755, with "/root" path having 700 mode and uid > of test-user is non-root. > Getcap of a binary gives "= cap_dac_read_search+eip", which is > consistent with capng_have_capability result. > > #include > #include > > #include > #include > #include > > #include > > int main(int argc, char **argv) { > > printf( "Capability: %d, ", > capng_have_capability(CAPNG_EFFECTIVE, CAP_DAC_READ_SEARCH) ); > > int fd; > if ((fd = open(argv[1], O_RDONLY)) == -1) { > printf("Error: %s\n", (char*) strerror(errno)); > return(1); } > else { > close(fd); > return(0); } > > }; > > > I've tried this code with the same result for ext4, reiserfs and xfs. > CAP_DAC_OVERRIDE works for bypassing any permissions, but it's not > quite what I need. To be sure, are you saying that you've tested with CAP_DAC_OVERRIDE and that works? Are you running with selinux enforcing? Note my own test on 2.6.33-rc2-00007-g85d1bb6 succeeds... > Kernel is 2.6.32.2, with CONFIG_SECURITY_FILE_CAPABILITIES=y and > security labels enabled for all filesystems that support them. > > > So, now I'm puzzled: is that a normal behavior for this capability? > Am I doing something wrong? > Is there a bug in documentation, or prehaps I misinterpreted it? > > > Thanks in advance for shedding any light on this mystery. > > -- > Mike Kazantsev // fraggod.net