Re: POSIX CAP_DAC_READ_SEARCH doesn't bypass file read permissions?

[Mike Kazantsev <mk.fraggod@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2353 bytes --]

On Mon, 28 Dec 2009 10:22:05 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:

> > I've ran the test with 6b7b284958d47b77d06745b36bc7f36dab769d9b (tip of
> > Linus branch, tagged 2.6.33-rc2) and seeing the same results as quoted
> > below.
> > Then I checked out the tip of your branch (ea21e0baaa972aa0b4),
> 
> Oh, I don't update master on that tree, so that's actually a pretty
> old and then heavily patched tree.  My test ran on Linus' latest
> (6b7b284958d47b77d06745b36bc7f36dab769d9b) tree.

Indeed, I've tested it with v2.6.31 tag from Linus tree (which seem to
be closest to the tip of master branch of your tree) and
"/test /root/test1" works there as well.

Config: http://fraggod.net/share/config-v2.6.31


> > compiled with the same settings, rebooted VM, and it worked just as
> > it's supposed to.
> > 
> > Guess I'll try to find the relevant changes, but my experience with C
> 
> No no, that's a checkpoint/restart tree with a huge delta :)
>
> > and kernel architecture is very limited, so if you can give any hint of
> > the possible cause, I'll be grateful.
> > 
> > 
> > To clarify the situation:
> > 
> > What I'm trying to do is to bypass file read permissions with
> > CAP_DAC_READ_SEARCH capability.
> > 
> > I've ran the same test with CAP_DAC_OVERRIDE just to see if FS DAC
> > bypassing capabilities are working at all, that one does.
> 
> Can you send me your .config?  Do you have any posix acl's set?

Config: http://fraggod.net/share/config-v2.6.33-rc2

No, I don't have ACLs set for file/path and they aren't enabled on
mount, nor were they ever enabled for this filesystem at all.

Config has all devices set to virtio, so I guess it should run on any
other virtio-enabled i686 KVM virtual machine.


I've tried to disable every other FS (incl. ACL for ext4) and security
options - CONFIG_SECURITY, CONFIG_KEYS, CONFIG_SECURITY_NETWORK,
CONFIG_SECURITY_NETWORK_XFRM (CONFIG_SECURITY_FILE_CAPABILITIES=y seem
to be default for 2.6.33), but to no effect.

Tried same test for fresh-created ext4 (w/ v2.6.33-rc2), but it's the
same "permission denied".

Config: http://fraggod.net/share/config-v2.6.33-rc2-trimmed


I'll mail configs separately, since I believe the mailing list policy
is to disallow large messages.


-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]