From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Kazantsev Subject: Re: POSIX CAP_DAC_READ_SEARCH doesn't bypass file read permissions? Date: Tue, 29 Dec 2009 04:59:58 +0500 Message-ID: <20091229045958.6b44c2b0@coercion> References: <20091226233012.38d67cf5@coercion> <20091227220610.GA19083@us.ibm.com> <20091228104054.09ddce06@malediction> <20091228120352.4b893fcc@malediction> <20091228162205.GA11756@us.ibm.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/t0_uzn8ciqYeFOiELY+=ncR"; protocol="application/pgp-signature" Cc: "Serge E. Hallyn" To: linux-fsdevel@vger.kernel.org Return-path: Received: from lo.gmane.org ([80.91.229.12]:44275 "EHLO lo.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751988AbZL2AAg (ORCPT ); Mon, 28 Dec 2009 19:00:36 -0500 Received: from list by lo.gmane.org with local (Exim 4.50) id 1NPPVp-00030J-Ch for linux-fsdevel@vger.kernel.org; Tue, 29 Dec 2009 01:00:33 +0100 Received: from 91.191.238.58 ([91.191.238.58]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Dec 2009 01:00:33 +0100 Received: from mk.fraggod by 91.191.238.58 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Dec 2009 01:00:33 +0100 In-Reply-To: <20091228162205.GA11756@us.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: --Sig_/t0_uzn8ciqYeFOiELY+=ncR Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 28 Dec 2009 10:22:05 -0600 "Serge E. Hallyn" wrote: > > I've ran the test with 6b7b284958d47b77d06745b36bc7f36dab769d9b (tip of > > Linus branch, tagged 2.6.33-rc2) and seeing the same results as quoted > > below. > > Then I checked out the tip of your branch (ea21e0baaa972aa0b4), >=20 > Oh, I don't update master on that tree, so that's actually a pretty > old and then heavily patched tree. My test ran on Linus' latest > (6b7b284958d47b77d06745b36bc7f36dab769d9b) tree. Indeed, I've tested it with v2.6.31 tag from Linus tree (which seem to be closest to the tip of master branch of your tree) and "/test /root/test1" works there as well. Config: http://fraggod.net/share/config-v2.6.31 > > compiled with the same settings, rebooted VM, and it worked just as > > it's supposed to. > >=20 > > Guess I'll try to find the relevant changes, but my experience with C >=20 > No no, that's a checkpoint/restart tree with a huge delta :) > > > and kernel architecture is very limited, so if you can give any hint of > > the possible cause, I'll be grateful. > >=20 > >=20 > > To clarify the situation: > >=20 > > What I'm trying to do is to bypass file read permissions with > > CAP_DAC_READ_SEARCH capability. > >=20 > > I've ran the same test with CAP_DAC_OVERRIDE just to see if FS DAC > > bypassing capabilities are working at all, that one does. >=20 > Can you send me your .config? Do you have any posix acl's set? Config: http://fraggod.net/share/config-v2.6.33-rc2 No, I don't have ACLs set for file/path and they aren't enabled on mount, nor were they ever enabled for this filesystem at all. Config has all devices set to virtio, so I guess it should run on any other virtio-enabled i686 KVM virtual machine. I've tried to disable every other FS (incl. ACL for ext4) and security options - CONFIG_SECURITY, CONFIG_KEYS, CONFIG_SECURITY_NETWORK, CONFIG_SECURITY_NETWORK_XFRM (CONFIG_SECURITY_FILE_CAPABILITIES=3Dy seem to be default for 2.6.33), but to no effect. Tried same test for fresh-created ext4 (w/ v2.6.33-rc2), but it's the same "permission denied". Config: http://fraggod.net/share/config-v2.6.33-rc2-trimmed I'll mail configs separately, since I believe the mailing list policy is to disallow large messages. --=20 Mike Kazantsev // fraggod.net --Sig_/t0_uzn8ciqYeFOiELY+=ncR Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAks5RoQACgkQASbOZpzyXnGiaQCfQPAABjD9j9+F7PPhZR9nlkIu eKUAnRFtMY4Unao039GXjpo0MQ5v8gui =en1d -----END PGP SIGNATURE----- --Sig_/t0_uzn8ciqYeFOiELY+=ncR--