does not remove capabilities

To: kernel-source-2.6.11@packages.debian.org
Cc: security@debian.org
Subject: does not remove capabilities
From: martin f krafft <madduck@debian.org>
Date: Thu, 9 Jun 2005 11:06:23 +0200
Message-id: <[🔎] 20050609090623.GA12948@localhost.localdomain>

Note: I am not filing this as a bug for reasons of responsible
disclosure. Maybe I am just being too paranoid. Let me know if
I should file the bug, or just forward my mail...

Package: kernel-source-2.6.11
Version: 2.6.11-5
Severity: grave
Tags: security

Note that the flags are correctly manipulated, but they take no effect.

wing:~# lcap                                                              [338]
Current capabilities: 0xFFFFFEFF
   0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
   2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
   4) *CAP_FSETID                  5) *CAP_KILL                 
   6) *CAP_SETGID                  7) *CAP_SETUID               
   8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE      
  10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
  12) *CAP_NET_ADMIN              13) *CAP_NET_RAW              
  14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER            
  16) *CAP_SYS_MODULE             17) *CAP_SYS_RAWIO            
  18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE           
  20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN            
  22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE             
  24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME             
  26) *CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed

/proc/sys/lids/lock_init_children: No such file or directory
wing:~# lcap CAP_SYS_MODULE                                            [29,338]
wing:~# lcap                                                              [339]
Current capabilities: 0xFFFEFEFF
   0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
   2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
   4) *CAP_FSETID                  5) *CAP_KILL                 
   6) *CAP_SETGID                  7) *CAP_SETUID               
   8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE      
  10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
  12) *CAP_NET_ADMIN              13) *CAP_NET_RAW              
  14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER            
  16)  CAP_SYS_MODULE             17) *CAP_SYS_RAWIO            
  18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE           
  20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN            
  22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE             
  24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME             
  26) *CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed

wing:~# lsmod | grep -c vfat
0
wing:~# modprobe vfat
wing:~# lsmod | grep vfat
vfat                   14208  0 
fat                    41948  1 vfat
wing:~# uname -a
Linux wing 2.6.11-1-686 #1 Tue Mar 22 10:20:01 CET 2005 i686 GNU/Linux

-- 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
 
Most Intelligent Customers Realise Our Software Only Fools Them.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: does not remove capabilities
  - From: martin f krafft <madduck@debian.org>
- Re: does not remove capabilities
  - From: Jurij Smakov <jurij@wooyd.org>

Prev by Date: Re: draft of DebConf5 debian-kernel paper
Next by Date: Bug#312646: kernel-source-2.4.27: kernel locks up hard when do a "grep -r <some-string> *" at root(/)
Previous by thread: adaptec 2610sa raid support in debian-installer (aacraid)
Next by thread: Re: does not remove capabilities
Index(es):
- Date
- Thread