Re: Capabilities (was Re: Policy on file permissions)
Jim Breton wrote:
> Are there are good resources which provide details on how to take
> advantage of the kernel's capabilities? I've installed lcap, setpcap,
> and friends but am surprised at how little documentation I've been able
> to find (maybe I'm looking in the wrong place).
Yeah, I noticed that too back when I started fiddling with caps. So I
wrote a paper on it ;)
http://linux.com/security/newsitem.phtml?sid=11&aid=4693
You might also want to look at
http://kernelnotes.org/lnxlists/linux-kernel/lk_0006_02/
in regard to the capabilities+sendmail exploit that was posted to
bugtraq. The official fix to the kernel broke capabilities, however Joe
Gooch posted a working patch to the kernel to close the exploit and
still allow caps to work.
> Why am I unable to give some caps to a process, and not others? And why
> am I unable to preserve caps through a uid change with sucap?
> Thanks for any help/pointers to docs/etc.. I would really like to get
> this going (mainly to run some daemons that must bind to low ports as
> non-root) but it's extremely difficult to find any assistance on this.
These two areas are covered in the paper, with sample code too :] Feel
free to send me questions. The link in the paper that points to a
modified libcap is broken at the moment. Instead use
http://boboshrimps.linuxos.org/~zeppelin/box/
Hope that helps,
Jim Hewlett
Reply to: