* [PATCH] sysctl: permission check based on capability not euid
@ 2008-05-28 19:12 Stephen Hemminger
2008-05-28 20:14 ` Chris Wright
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Hemminger @ 2008-05-28 19:12 UTC (permalink / raw)
To: Andrew Morton, Chris Wright; +Cc: linux-kernel, netdev
This patch modifies the permission checks for sysctl's from being based on uid=0 (root)
to use the capability system. This matches the behavior of other OS's using sysctl's
and capabilities. Linux has tried to get away from using uid=0 for security overrides
and use capabilities instead.
I was working on Quagga enhancement that involved enabling a sysctl, and it didn't
work because is a safe daemon and drops privileges and resets its real/effective uid
after initialization; it then re-enables only the capabilities when it needs to
do some privileged operation. This wouldn't work because sysctl's were still using
the root based permission check. The existing code in quagga to enable ip forwarding
doesn't work for the same reason.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
Maybe once the BKL is gone, the last vestiges of current->euid == 0 can be wiped out
as well.
--- a/include/linux/capability.h 2008-05-27 17:33:02.000000000 -0700
+++ b/include/linux/capability.h 2008-05-27 17:33:27.000000000 -0700
@@ -261,6 +261,7 @@ typedef struct kernel_cap_struct {
arbitrary SCSI commands */
/* Allow setting encryption key on loopback filesystem */
/* Allow setting zone reclaim policy */
+/* Allow setting any sysctl value */
#define CAP_SYS_ADMIN 21
--- a/kernel/sysctl.c 2008-05-27 17:32:33.000000000 -0700
+++ b/kernel/sysctl.c 2008-05-27 17:32:46.000000000 -0700
@@ -1561,7 +1561,7 @@ out:
static int test_perm(int mode, int op)
{
- if (!current->euid)
+ if (capable(CAP_SYS_ADMIN))
mode >>= 6;
else if (in_egroup_p(0))
mode >>= 3;
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] sysctl: permission check based on capability not euid
2008-05-28 19:12 [PATCH] sysctl: permission check based on capability not euid Stephen Hemminger
@ 2008-05-28 20:14 ` Chris Wright
0 siblings, 0 replies; 2+ messages in thread
From: Chris Wright @ 2008-05-28 20:14 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: Andrew Morton, Chris Wright, linux-kernel, netdev
* Stephen Hemminger (stephen.hemminger@vyatta.com) wrote:
> This patch modifies the permission checks for sysctl's from being based on uid=0 (root)
> to use the capability system. This matches the behavior of other OS's using sysctl's
> and capabilities. Linux has tried to get away from using uid=0 for security overrides
> and use capabilities instead.
>
> I was working on Quagga enhancement that involved enabling a sysctl, and it didn't
> work because is a safe daemon and drops privileges and resets its real/effective uid
> after initialization; it then re-enables only the capabilities when it needs to
> do some privileged operation. This wouldn't work because sysctl's were still using
> the root based permission check. The existing code in quagga to enable ip forwarding
> doesn't work for the same reason.
I don't think CAP_SYS_ADMIN makes sense for net.*, for example.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-05-28 20:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-28 19:12 [PATCH] sysctl: permission check based on capability not euid Stephen Hemminger
2008-05-28 20:14 ` Chris Wright
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).