works perfectly ... thanks I updated my documentation accordingly http://www.friedhoff.org/posixfilecaps.html
Cheers Chris On Mon, 24 Dec 2007 21:25:57 -0800 Andrew Morgan <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please try: > > 912c5acc280353540a3a6ece068c232d40f40534 libcap-2.03.tar.gz > > Cheers > > Andrew > > Chris Friedhoff wrote: > > Thank you for the answer. > > > > I was reading the mails on lsm, but it wasn't obvious to me, that right > > now libcap-2.0 is for 64-bit capabilities which are currently only in > > -mm. > > > > I personally find the situation right now a little bit unfortunate. > > During holidays - I can imagine - quite a few people like to try new > > features in anticipating the 2.6 24 release. > > Libcap-2.x is for 64-bit caps which is now only in 2.6.24-rc5-mm1 > > and libcap-1.0 which works for 2.6.24-rc5/6 is not accessible. > > > > BTW your article got slashdotted: > > http://linux.slashdot.org/article.pl?sid=07/12/22/209212 > > > > > > ... and have a nice christmas > > > > Chris > > > > > > > > On Sun, 23 Dec 2007 17:24:50 -0600 > > [EMAIL PROTECTED] wrote: > > > >> libcap-2.0 is for 64-bit capabilities which are currently > >> only in -mm. So switch your kernel to 2.6.24-rc5-mm1, or > >> use the latest libcap-1.x. > >> > >> I actually confused myself the same way two weeks ago or > >> so :) > >> > >> It almost seems worth it to have libcap-2.x use 32-bit file > >> capabilities so long as no capabilities above 31 need to > >> be set, just to avoid gratuitous headaches until 2.6.25. > >> Andrew, what do you think? > >> > >> -serge > >> > >> Quoting Chris Friedhoff ([EMAIL PROTECTED]): > >>> Hello, > >>> > >>> I'm (still) updating my documentation on > >>> http://www.friedhoff.org/fscaps.html. > >>> > >>> I just learned, that KaiGai has taken his userspace tools offline and > >>> Andrews tools are updated and are now the prefered one. > >>> > >>> But I have a problem ... > >>> > >>> I tried it with 2.6.24-rc5 and 2.6.24-rc6 and with libcap 2.00, 2.01, > >>> 20071203 (newest in git) on an 32 bit System > >>> > >>> setcap sets according to attr the capability attribute with 20 byte, > >>> whereby setfcaps sets a 12 byte value. > >>> getcap can read the value set by setfcaps but not by setcap. > >>> Executing a by setcap "capability enabled" binary gives an "Invalid > >>> argumet" > >>> error. > >>> What am I missing? > >>> > >>> Thanks > >>> Chris > >>> > >>> > >>> Commands executed on a shell: > >>> ----------------------------- > >>> > >>> When I try to set a capability: > >>> ------------------------------- > >>> > >>> $ sudo libcap-2.01/progs/setcap cap_net_raw=ep ping > >>> $ echo $? > >>> 0 > >>> I get: > >>> $ attr -l ping > >>> Attribute "capability" has a 20 byte value for ping > >>> $ libcap-2.01/progs/getcap ping > >>> Failed to get capabilities for file `ping' (Invalid argument) > >>> ./ping localhost > >>> bash: ./ping: Invalid argument > >>> > >>> But when I use KaiGai's tool: > >>> ----------------------------- > >>> > >>> $ sudo setfcaps -c cap_net_raw=p -e ping > >>> $ attr -l ping > >>> Attribute "capability" has a 12 byte value for ping > >>> $ libcap-2.01/progs/getcap ping > >>> $ ./ping localhost (works also) > >>> > >>> > >>> strace outputs: > >>> --------------- > >>> > >>> strace output without needed privileges > >>> --------------------------------------- > >>> > >>> $ ls -l libcap-2.01/progs/setcap > >>> -rwxr-xr-x 1 chris users 611672 Dec 23 14:02 libcap-2.01/progs/setcap > >>> $ > >>> $ strace libcap-2.01/progs/setcap cap_net_raw=ep ping > >>> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", > >>> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 > >>> uname({sys="Linux", node="apollo", ...}) = 0 > >>> brk(0) = 0x80ca000 > >>> brk(0x80cacb0) = 0x80cacb0 > >>> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, > >>> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > >>> limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > >>> brk(0x80ebcb0) = 0x80ebcb0 > >>> brk(0x80ec000) = 0x80ec000 > >>> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) > >>> capget(0x19980330, 0, {0, 0, 0}) = 0 > >>> capset(0x19980330, 0, {0x80000000 /* CAP_??? */, 0, 0}) = -1 EPERM > >>> (Operation not permitted) > >>> dup(2) = 3 > >>> fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) > >>> fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>> = 0xb7f14000 > >>> _llseek(3, 0, 0xbff51724, SEEK_CUR) = -1 ESPIPE (Illegal seek) > >>> write(3, "unable to set CAP_SETFCAP effect"..., 72unable to set > >>> CAP_SETFCAP effective capability: Operation not permitted > >>> ) = 72 > >>> close(3) = 0 > >>> munmap(0xb7f14000, 4096) = 0 > >>> brk(0x80eb000) = 0x80eb000 > >>> exit_group(1) = ? > >>> Process 3718 detached > >>> > >>> > >>> strace output with root owned suid bit binary > >>> --------------------------------------------- > >>> -rwsr-xr-x 1 root root 611672 Dec 23 14:02 libcap-2.01/progs/setcap* > >>> $ > >>> $ strace libcap-2.01/progs/setcap cap_net_raw=ep ping > >>> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", > >>> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 > >>> uname({sys="Linux", node="apollo", ...}) = 0 > >>> brk(0) = 0x80ca000 > >>> brk(0x80cacb0) = 0x80cacb0 > >>> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, > >>> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > >>> limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > >>> brk(0x80ebcb0) = 0x80ebcb0 > >>> brk(0x80ec000) = 0x80ec000 > >>> access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or > >>> directory) > >>> fcntl64(0, F_GETFD) = 0 > >>> fcntl64(1, F_GETFD) = 0 > >>> fcntl64(2, F_GETFD) = 0 > >>> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) > >>> capget(0x19980330, 0, {0, 0, 0}) = 0 > >>> capset(0x19980330, 0, {0x80000000 /* CAP_??? */, 0, 0}) = -1 EPERM > >>> (Operation not permitted) > >>> dup(2) = 3 > >>> fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) > >>> fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > >>> = 0xb7f99000 > >>> _llseek(3, 0, 0xbf9b0984, SEEK_CUR) = -1 ESPIPE (Illegal seek) > >>> write(3, "unable to set CAP_SETFCAP effect"..., 72unable to set > >>> CAP_SETFCAP effective capability: Operation not permitted > >>> ) = 72 > >>> close(3) = 0 > >>> munmap(0xb7f99000, 4096) = 0 > >>> brk(0x80eb000) = 0x80eb000 > >>> exit_group(1) = ? > >>> Process 3724 detached > >>> > >>> > >>> and the same as root > >>> -------------------- > >>> strace libcap-2.01/progs/setcap cap_net_raw=ep ping > >>> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", > >>> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 > >>> uname({sys="Linux", node="apollo", ...}) = 0 > >>> brk(0) = 0x80ca000 > >>> brk(0x80cacb0) = 0x80cacb0 > >>> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, > >>> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > >>> limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > >>> brk(0x80ebcb0) = 0x80ebcb0 > >>> brk(0x80ec000) = 0x80ec000 > >>> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) > >>> capget(0x19980330, 0, > >>> {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, > >>> > >>> CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, > >>> 0}) = 0 > >>> capset(0x19980330, 0, > >>> {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, > >>> > >>> CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, > >>> 0}) = 0 > >>> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) > >>> setxattr("ping", "security.capability", "\x01\x00\x00\x01\x00 > >>> \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1aW\xe4\xbf", 20, 0) = 0 > >>> exit_group(0) = ? > >>> Process 3727 detached > >>> > >>> > >>> > >>> > >>> > >>> -------------------- > >>> Chris Friedhoff > >>> [EMAIL PROTECTED] > >>> - > >>> To unsubscribe from this list: send the line "unsubscribe > >>> linux-security-module" in > >>> the body of a message to [EMAIL PROTECTED] > >>> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -------------------- > > Chris Friedhoff > > [EMAIL PROTECTED] > > - > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to [EMAIL PROTECTED] > > More majordomo info at http://vger.kernel.org/majordomo-info.html > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHcJRf+bHCR3gb8jsRAhwXAKCl1/FQ0pSj4bLv0zkwTKk++dNKngCg2TIr > nURocXosG/9d0Hf0yzlcigs= > =jvS4 > -----END PGP SIGNATURE----- -------------------- Chris Friedhoff [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html