lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 25 Jul 2006 13:47:19 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Frank v Waveren <fvw@....cx>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: linux capabilities oddity

Quoting Frank v Waveren (fvw@....cx):
> I sent this to linux-privs-discuss, but that list appears to be dead.
> Perhaps someone here can help me?
> 
> 
> While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> working, I came across the following code at
> linux-2.6.x/security/commoncap.c:140:
> 
>    void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
>    {
>            /* Derived from fs/exec.c:compute_creds. */
>            kernel_cap_t new_permitted, working;
> 
>            new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
>            working = cap_intersect (bprm->cap_inheritable,
>                                     current->cap_inheritable);
>            new_permitted = cap_combine (new_permitted, working);
>            ...
> 
> Here the new permitted set gets limited to the bits in cap_bset, which
> is as it should be, but then the intersection of the of the current
> and exec inheritable masks get added to that set, whereas as I
> understand it, cap_bset should always be the bounding set.
>            
> This triggered a problem where the /sbin/init on a gentoo install disk
> (which I was using as an quick&dirty UML root disk for testing) for
> some reason did something to set its inheritable mask to ~0, which
> then propagated to all the processes that ran as root, which meant
> that the cap bound didn't apply to them.
> 
> I took out the cap_combine and didn't notice any ill effects on some
> quick tests, though I don't know POSIX capabilities well enough to say
> all the behaviour was per the standard. If someone could tell me what
> those lines are for, and if its foiling of cap-bound limits is on
> purpose, I'd be most grateful.

Actually going by the faq
(http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
it seems like the cap_intersect with current->cap_inheritable is *too*
limiting.  I haven't checked what the posix draft actually says, but the
bprm->cap_inheritable is called the 'forced' set, and is supposed to be
like setuid.

I suspect the reason why removing the cap_combine worked for you is
because when the file is setuid 0, the bprm->cap_permitted is also set
full on.  For people actually using one of the patches implementing
filesystem capabilities, I think you might in fact change behavior.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ