About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 30 Jan 2004 - 23:35:39 GMT


On Fri, Jan 30, 2004 at 10:40:47PM +0100, Sascha Silbe wrote:
> Hi!
>
> While hacking on my srvtools (something similar to the vserver user space
> tools, but with a different design), I made a frightening discovery:
>
> root_at_hybrid:/# reducecap --secure /bin/sh -c 'getpcaps $$'
> Executing
> Capabilities for `11054': =eip cap_setpcap-eip
> root_at_hybrid:/# execcap = /bin/sh -c 'getpcaps $$'
> Capabilities for `11084': =ep cap_setpcap-ep
> root_at_hybrid:/# cat /proc/sys/kernel/cap-bound
> 0
> root_at_hybrid:/# uname -r
> 2.4.21-hybrid-1

hmm, if this helps:

/ # reducecap --secure /bin/sh -c 'getpcaps $$'
Executing
Capabilities for `17': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_sys_chroot,cap_sys_ptrace,cap_sys_tty_config,cap_lease+ep
/ # execcap = /bin/sh -c 'getpcaps $$'
Capabilities for `19': =ep cap_setpcap-ep
/ # cat /proc/sys/kernel/cap-bound
-257
/ # uname -r
2.4.25-pre7-vs1.24
/ #

> This is exactly the same as on a capability-disabled system (where I'd
> actually expect that behaviour):
>
> root_at_odin:~# execcap = /bin/sh -c 'getpcaps $$'
> Capabilities for `29497': =ep cap_setpcap-ep
> root_at_odin:~# cat /proc/sys/kernel/cap-bound
> -257
>
>
> Actually one of my services ("virtual servers") is running with FULL root
> privileges now:
>
> root_at_hybrid:/# getpcaps `vps auxww |grep '[ ]/bin/clockspeed'|tr -s ' '|cut -d ' ' -f 1`
> Capabilities for `root': =eip cap_setpcap-eip
>
>
> What the hell has happened to POSIX capability support in the latest 2.4
> kernels?

what kernel aptch/tool version do you use and what
does the test script report (started on the host):

   http://vserver.13thfloor.at/Stuff/testme.sh

HTH,
Herbert

> PS: Yes, 'reducecap --show' does give the same output as 'getpcaps $$', only
> in a much more verbose fashion.
>
> CU/Lnx Sascha
>
> --
> Registered Linux User #77587 (http://counter.li.org/)
>
> bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike
> sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 30 Jan 2004 - 23:38:01 GMT by hypermail 2.1.3