From: Olaf Dietsche <olaf+list.linux-kernel@olafdietsche.de>
To: Andy Lutomirski <luto@myrealbox.com>
Cc: Chris Wright <chrisw@osdl.org>,
Stephen Smalley <sds@epoch.ncsc.mil>,
Albert Cahalan <albert@users.sourceforge.net>,
Valdis.Kletnieks@vt.edu, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scaled-back caps, take 4
Date: Sun, 23 May 2004 22:57:27 +0200 [thread overview]
Message-ID: <87pt8upmjf.fsf@goat.bogus.local> (raw)
In-Reply-To: <40B0F65F.3020706@myrealbox.com> (Andy Lutomirski's message of "Sun, 23 May 2004 12:07:11 -0700")
Andy Lutomirski <luto@myrealbox.com> writes:
> [sorry if this is a resend -- i don't think it worked the first
> time.]
>
> Olaf Dietsche wrote:
>> Andy Lutomirski <luto@myrealbox.com> writes:
>
>>>First, CAP_SETPCAP is never obtainable (by anything).
>>>Since cap_bset never has this bit set, nothing can inherit it
>>>from fP. capset_check prevents it from getting set in pI.
>> # mv /sbin/init /sbin/init.bin
>> # cat >/sbin/init
>> #! /bin/sh
>> if test $$ -eq 1; then
>> mount /proc
>> echo -1 >/proc/sys/kernel/cap-bound
>> fi
>> exec /sbin/init.bin "$@"
>> ^D
>> # chmod 755 /sbin/init
>> # reboot
>
> Wow -- I missed that. Does anyone actually do this? And is there a
> reason why it should work like this?
Because in kernel/sysctl.c:
int proc_dointvec_bset(ctl_table *table, int write, struct file *filp,
void __user *buffer, size_t *lenp)
allows init only to set cap_bset.
You can write a module to set cap_bset, of course, or patch the kernel
to define CAP_INIT_EFF_SET to ~0.
>>>cap_bprm_set_security does:
>>>fP = fI = (new_uid == 0 || new_euid == 0)
>>>fE = (new_euid == 0)
>> Only if (!issecure (SECURE_NOROOT))
>> [...]
>
> I don't see any way to change securebits.
I thought there has been a /proc way, to set securebits, but maybe I
confused this with cap_bset. Anyway, here's the easy way out:
diff -urN a/include/linux/securebits.h b/include/linux/securebits.h
--- a/include/linux/securebits.h Sat Oct 5 18:42:33 2002
+++ b/include/linux/securebits.h Sun May 23 22:38:02 2004
@@ -1,7 +1,7 @@
#ifndef _LINUX_SECUREBITS_H
#define _LINUX_SECUREBITS_H 1
-#define SECUREBITS_DEFAULT 0x00000000
+#define SECUREBITS_DEFAULT (SECURE_NO_SETUID_FIXUP | SECURE_NOROOT)
extern unsigned securebits;
>> Please, don't get me wrong. For me, it's just a matter of maintaining
>> a slightly bigger fscaps patch. But I don't think capabilities in
>> Linux are really broken, only because some proponents of SELinux claim
>> so.
>
>
> I find caps to be broken, and I don't use SELinux. I want to be able
> to run programs as non-root with limited caps, which I currently can't
> do without modifying each program to start as root, then drop caps,
> then set KEEPCAPS, then drop root. And even with that change, these
> programs can't usefully exec themselves, which could be useful.
This is, where filesystem capabilities come into play. You implemented
them yourself. Execing is still a problem, though. However, if you
activate SECURE_NO_SETUID_FIXUP this issue is gone, too.
> And no, I don't think this patch is necessary, or that it should be
> applied or used by itself. I think it makes a good starting point to
> fix caps
> (which a lot of people seem to think are broken).
Well, I know, that I don't have a strong following. :-)
Regards, Olaf.
next parent reply other threads:[~2004-05-24 2:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.i8g63r1.9jata3@ifi.uio.no>
[not found] ` <fa.hjocttu.1cgcc3q@ifi.uio.no>
[not found] ` <40B0F65F.3020706@myrealbox.com>
2004-05-23 20:57 ` Olaf Dietsche [this message]
2004-05-24 16:55 ` [PATCH] scaled-back caps, take 4 Martin Schlemmer
[not found] <fa.id6it11.41id3h@ifi.uio.no>
[not found] ` <fa.gf5v6pu.c2mkrq@ifi.uio.no>
2004-05-17 7:19 ` Andy Lutomirski
2004-05-17 11:59 ` Stephen Smalley
[not found] <fa.dt4cg55.jnqvr5@ifi.uio.no>
2004-05-14 16:18 ` [PATCH] capabilites, take 2 Andy Lutomirski
2004-05-14 18:07 ` Chris Wright
2004-05-14 22:48 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-15 0:06 ` [PATCH] scaled-back caps, take 4 Olaf Dietsche
2004-05-14 22:09 ` Albert Cahalan
2004-05-15 0:27 ` Chris Wright
[not found] ` <20040517231912.H21045@build.pdx.osdl.net>
2004-05-18 9:11 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-19 1:27 ` Chris Wright
2004-05-19 1:54 ` [PATCH] scaled-back caps, take 4 Andy Lutomirski
2004-05-19 7:30 ` Chris Wright
2004-05-23 9:28 ` Andy Lutomirski
2004-05-23 18:48 ` Olaf Dietsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pt8upmjf.fsf@goat.bogus.local \
--to=olaf+list.linux-kernel@olafdietsche.de \
--cc=Valdis.Kletnieks@vt.edu \
--cc=albert@users.sourceforge.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@myrealbox.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox