| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20071114101251.a1f6214d.chris@friedhoff.org> Date: Wed, 14 Nov 2007 10:12:51 +0100 From: Chris Friedhoff <chris@...edhoff.org> To: "Serge E. Hallyn" <sergeh@...ibm.com> Cc: "chris@...edhoff.org" <chris@...edhoff.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: Posix file capabilities in 2.6.24rc2 Hello Serge, I wanted only to express what I observed. A "yes it should" confirms its ok. And yes, I haven't looked into the patches and the name and commentary of file-capabilities-clear-fcaps-on-inode-change.patch explains this already. I'm preparing to update my page http://www.friedhoff.org/fscaps.html for 2.6.24, and I also want to explain what one has to take into account or be beware off. If I stumble about this, I think others will also (imho). I have written a script to change suid binaries and servers, automating the examples I give on the webpage. In the sequence of commands I was setting fscaps and than chown the binary. Now with the aforementioned patch the fscaps are removed when I chown and the script wasn't working anymore. My point is not my script, it's being surprised and being a bit at a loss. Documenting this helps to clarify things and users to adopt this feature. The matter with "xinit: Operation not permitted..." happens, when I (unprivileged user) close a from a console started X session. Similar to Andrew Morton'S http://lkml.org/lkml/2006/11/23/15 . The 2.6.24-rc2 kernel has capabilties enabled but /usr/bin/xinit has no capabilities set. It remains the black screen with a cursor, the windowmanager is closed. Is this known? Is this a problem? Does anyone else observes this? As far as I understand, I dont have to grant / to use capabilities even when the kernel has capabilities enabled. Chris On Tue, 13 Nov 2007 17:53:18 -0600 "Serge E. Hallyn" <sergeh@...ibm.com> wrote: > Quoting Chris Friedhoff (chris@...edhoff.org): > > Hello, > > > > everything works as expected, but ... > > > > closing X and no capabilities set for xinit does shutdown only the > > windowmanager and not the X server (Xorg server 1.4) > > Consolemessage is: > > xinit: Operation not permitted (errno 1): Can't kill X server > > > > > > the xattr capability is removed, when the file is chown'ed. > > Hi Chris, > > yes on chown the capability is removed. I'm not quite sure what > you're asking? Is your setup depending on being able to chown > while keeping file capabilities? Can you give some more details? > > thanks, > -serge -------------------- Chris Friedhoff chris@...edhoff.org - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists