| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Apr 2011 10:20:43 +0900
From: crocket <crockabiscuit@...il.com>
To: linux-kernel@...r.kernel.org
Subject: Re: Linux capabilities shouldn't be lost during setuid to non-root
from root or to another non-root uid from a non-root uid.
prctl(PR_SET_KEEPCAPS, 1) didn't work since, during setuid to
non-root, effective bit was lost.
Please refer to "man prctl".
I don't know what would happen when I run OpenVPN as non-root with
cap_setuid, cap_setgid, cap_sys_admin.
I guess OpenVPN woull fail to generate tun0 interface if it's run as root.
However, I need to test it to be sure.
On Mon, Apr 18, 2011 at 3:07 AM, Serge E. Hallyn <serge@...lyn.com> wrote:
> You need
>
> prctl(PR_SET_KEEPCAPS, 1);
>
> man prctl for details. In particular, see the following example:
>
> #include <stdio.h>
> #include <sys/prctl.h>
> #include <sys/capability.h>
>
> int main()
> {
> cap_t c;
> c = cap_get_proc();
> printf("uid %d, current caps: %s\n", getuid(), cap_to_text(c, NULL));
> cap_free(c);
> prctl(PR_SET_KEEPCAPS, 1);
> setuid(1001, 1001, 1001);
> c = cap_get_proc();
> printf("uid %d, current caps: %s\n", getuid(), cap_to_text(c, NULL));
> cap_free(c);
> }
>
> You can either run that as root, or you can do
>
> sudo setcap cap_setuid,cap_setgid,cap_sys_admin=eip captest
>
> and then run it as non-root.
>
> HTH,
> -serge
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists