[Bug 214705] New: execve(2) omits EACCES due to capabilities

[Bug 214705] New: execve(2) omits EACCES due to capabilities

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214705

            Bug ID: 214705
           Summary: execve(2) omits EACCES due to capabilities
           Product: Documentation
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P1
         Component: man-pages
          Assignee: documentation_man-pages@kernel-bugs.osdl.org
          Reporter: dspeyer@gmail.com
        Regression: No

The man page for execve lists only 4 reasons the syscall can fail with
errno==EACCES.  In fact, there is at least one more.  If the binary being
executed has a setfattr'ed capability such as CAP_IPC_LOCK which is not
supported in the caller's kernel namespace (docker container), execve will fail
with this error.

I just spent a great deal of frustrating effort searching for a non-existent
elf interpreter or mount-noexec issue because I trusted this man page.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214705] execve(2) omits EACCES due to capabilities

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214705

Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alx.manpages@gmail.com

--- Comment #1 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com) ---
Hello Daniel,

Tracking the paths that can lead to an error is difficult.  Could you share the
results of your investigation?  I'd like to check it in the source code.

Thanks,

Alex

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214705] execve(2) omits EACCES due to capabilities

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214705

--- Comment #2 from Daniel Speyer (dspeyer@gmail.com) ---
dspeyer@dspeyerheim:~$ sudo docker run -it ubuntu /bin/bash
root@8b839371814b:/# apt-get update > /dev/null
root@8b839371814b:/# apt-get install libcap2-bin -y >/dev/null
debconf: delaying package configuration, since apt-utils is not installed
root@8b839371814b:/# setcap cap_ipc_lock=+eip  /usr/bin/ls
root@8b839371814b:/# ls
bash: /usr/bin/ls: Operation not permitted

I've confirmed with a small c program that bash is passing on execve's
error message correctly, but copy pasting the c program would be
inconvenient right now.

On Fri, Oct 15, 2021 at 6:10 PM <bugzilla-daemon@bugzilla.kernel.org> wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=214705
>
> Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>                  CC|                            |alx.manpages@gmail.com
>
> --- Comment #1 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com)
> ---
> Hello Daniel,
>
> Tracking the paths that can lead to an error is difficult.  Could you
> share the
> results of your investigation?  I'd like to check it in the source code.
>
> Thanks,
>
> Alex
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You reported the bug.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.