lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 01 Dec 2007 10:20:21 +0900
From:	KaiGai Kohei <>
To:	"Serge E. Hallyn" <>
CC:	lkml <>,,
	Andrew Morgan <>,
	Chris Wright <>,
	Stephen Smalley <>,
	James Morris <>, Andrew Morton <>
Subject: Re: [PATCH] capabilities: introduce per-process capability bounding
 set (v10)

Serge E. Hallyn wrote:
> The capability bounding set is a set beyond which capabilities
> cannot grow.  Currently cap_bset is per-system.  It can be
> manipulated through sysctl, but only init can add capabilities.
> Root can remove capabilities.  By default it includes all caps
> except CAP_SETPCAP.


This feature makes me being interested in.
I think you intend to apply this feature for the primary process
of security container.
However, it is also worthwhile to apply when a session is starting up.

The following PAM module enables to drop capability bounding bit
specified by the fifth field in /etc/passwd entry.
This code is just an example now, but considerable feature.

build and install:
# gcc -Wall -c pam_cap_drop.c
# gcc -Wall -shared -Xlinker -x -o pam_cap_drop.o -lpam
# cp /lib/security

modify /etc/passwd as follows:

[kaigai@...u ~]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from icmp_seq=2 ttl=64 time=1.02 ms

--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 1.023/1.130/1.237/0.107 ms

[kaigai@...u ~]$ ssh tak@...alhost
tak@...alhost's password:
Last login: Sat Dec  1 10:09:29 2007 from
[tak@...u ~]$ export LANG=C
[tak@...u ~]$ ping
ping: icmp open socket: Operation not permitted

[tak@...u ~]$ su
pam_cap_bset[6921]: user root does not have 'cap_drop=' property
[root@...u tak]# cat /proc/self/status | grep ^Cap
CapInh: 0000000000000000
CapPrm: 00000000ffffdffe
CapEff: 00000000ffffdffe
[root@...u tak]#

# BTW, I replaced the James's address in the Cc: list,
# because MTA does not accept it.
KaiGai Kohei <>


 * pam_cap_drop.c module -- drop capabilities bounding set
 * Copyright: 2007 KaiGai Kohei <>

#include <errno.h>
#include <pwd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <syslog.h>
#include <sys/prctl.h>
#include <sys/types.h>

#include <security/pam_modules.h>

#define PR_CAPBSET_DROP 24

static char *captable[] = {

pam_sm_open_session(pam_handle_t *pamh, int flags,
                    int argc, const char **argv)
	struct passwd *pwd;
	char *pos, *buf;
	char *username = NULL;

	/* open system logger */
	openlog("pam_cap_bset", LOG_PERROR | LOG_PID, LOG_AUTHPRIV);

	/* get the unix username */
	if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || !username)

	/* get the passwd entry */
	pwd = getpwnam(username);
	if (!pwd)

	/* Is there "cap_drop=" ? */
	pos = strstr(pwd->pw_gecos, "cap_drop=");
	if (pos) {
		buf = strdup(pos + sizeof("cap_drop=") - 1);
		if (!buf)
			return PAM_SESSION_ERR;
		pos = strtok(buf, ",");
		while (pos) {
			int rc, i;

			for (i=0; captable[i]; i++) {
				if (!strcmp(pos, captable[i])) {
					rc = prctl(PR_CAPBSET_DROP, i);
					if (rc < 0) {
						syslog(LOG_NOTICE, "user %s could not drop %s (%s)",
						       username, captable[i], strerror(errno));
					syslog(LOG_NOTICE, "user %s drops %s\n", username, captable[i]);
					goto next;
			pos = strtok(NULL, ",");
	} else {
		syslog(LOG_NOTICE, "user %s does not have 'cap_drop=' property", username);
	return PAM_SUCCESS;

pam_sm_close_session(pam_handle_t *pamh, int flags,
                     int argc, const char **argv)
	/* do nothing */
	return PAM_SUCCESS;

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists