[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <480B4E87.4020709@unsolicited.net>
Date: Sun, 20 Apr 2008 15:09:11 +0100
From: David <david@...olicited.net>
To: Mike Galbraith <efault@....de>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: 2.6.25 Kernel - Problems with capabilities
Mike Galbraith wrote:
> On Sat, 2008-04-19 at 19:43 +0100, David wrote:
>
>> I'm wondering if anyone might be able to help with a capability problem
>> I've noticed with .25 My ntp daemon will no longer run as any non-root
>> user, and after some investigation it seems that calls to prctl() are
>> failing.
>>
>> CONFIG_SECURITY_CAPABILITIES=y , so this should work?
>>
>> System is 32 bit x86 based on a venerable SuSE 9.1 distro.
>>
>> Full .config is attached.
>>
>> Thanks
>> David
>>
>>
>>
>
> FWIW, ntpd runs just fine here as user ntp on both my P4 and Q6600 boxen
> with opensuse 10.3.
>
> marge:..tmp/linux-2.6.25 # grep SECUR .config
> CONFIG_EXT2_FS_SECURITY=y
> CONFIG_EXT3_FS_SECURITY=y
> CONFIG_EXT4DEV_FS_SECURITY=y
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> CONFIG_SECURITY_NETWORK_XFRM=y
> CONFIG_SECURITY_CAPABILITIES=y
> CONFIG_SECURITY_FILE_CAPABILITIES=y
> CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
> # CONFIG_SECURITY_SELINUX is not set
> marge:..tmp/linux-2.6.25 # grep SECUR /xx
> CONFIG_EXT2_FS_SECURITY=y
> CONFIG_EXT3_FS_SECURITY=y
> CONFIG_REISERFS_FS_SECURITY=y
> # CONFIG_XFS_SECURITY is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> # CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_CAPABILITIES=y
> # CONFIG_SECURITY_FILE_CAPABILITIES is not set
> # CONFIG_SECURITY_ROOTPLUG is not set
> CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
>
> I notice I have CONFIG_SECURITY_FILE_CAPABILITIES set, and you don't. I
> have not even the foggiest clue whether that has anything to do with the
> price of tea in china though :)
>
I've just set
CONFIG_SECURITY_FILE_CAPABILITIES=y
CONFIG_SECURITY_NETWORK_XFRM=y
to no avail.. I still get
20 Apr 15:04:20 ntpd[15694]: cap_set_proc() failed to drop root
privileges: Invalid argument
after rebuild & reboot. No massive deal, I'll just run ntpd as root for
now, but there's definitely something funny going on.
Cheers
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists