On 15.10.2014 04:54, Colin Watson wrote:
Martin's right - CAP_SYS_MODULE is functionally equivalent to root.
I see.
Anyway, there is another part, reading the msr and cpuid. For that, it
seems to be really beneficial, to make it available to everyone. So the
process which needs it, can onl
On Tue, Oct 14, 2014 at 10:44:26PM +0400, ds wrote:
> On 14.10.2014 22:37, Martin Pitt wrote:
> >Note that at least CAP_SYS_MODULE is equivalent to root (as you can
> >load any local .ko which can then provide you with a backdoor into
> >the kernel),
>
> I guess you have to put the .ko file at a p
On 14.10.2014 22:37, Martin Pitt wrote:
Ah, how does that work? I'm not aware of an ELF/kernel feature which
allows doing that, this sounds interesting?
https://www.insecure.ws/2013/12/17/lesser-known-tool-of-the-day-getcap-setcap-and-file-capabilities/
Note that at least CAP_SYS_MODULE is equ
ds [2014-10-14 22:31 +0400]:
> Yes it is. the capability is set on exe file by the installer.
Ah, how does that work? I'm not aware of an ELF/kernel feature which
allows doing that, this sounds interesting?
> The exe itself should never acquire root ideally. Only has the
> limited subset of root
On 14.10.2014 22:23, Martin Pitt wrote:
You also need root to initially get those CAP_*, so this is not a real
limitation.
Yes it is. the capability is set on exe file by the installer. The exe
itself should never acquire root ideally. Only has the limited subset of
root powers CAP_SYS_RAWIO a
Hello ds,
ds [2014-10-14 21:44 +0400]:
> I'm trying to write a widget, which reports intel CPUs power
> consumption. For that, the widget needs access to /dev/cpu/.../msr,
> as well as ability to load kernel modules cpuid and msr.
> I can set CAP_SYS_RAWIO capability to get the acc
Greetings!
I'm trying to write a widget, which reports intel CPUs power
consumption. For that, the widget needs access to /dev/cpu/.../msr,
as well as ability to load kernel modules cpuid and msr.
I can set CAP_SYS_RAWIO capability to get the access, but the
prob