Re: capabilities

To: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>
Cc: debian-security <debian-security@lists.debian.org>
Subject: Re: capabilities
From: Olaf Dietsche <olaf+list.debian-security@olafdietsche.de>
Date: Thu, 24 Jul 2003 16:16:57 +0200
Message-id: <[🔎] 87wue89fhi.fsf@goat.bogus.local>
In-reply-to: <[🔎] 20030724131643.GA5012@vekoll.saturnus.vein.hu> (Adam ENDRODI's message of "Thu, 24 Jul 2003 15:16:43 +0200")
References: <[🔎] 20030724131643.GA5012@vekoll.saturnus.vein.hu>

Adam ENDRODI <borso@vekoll.saturnus.vein.hu> writes:

>   -- Problem 3: I'd like to grant or revoke capabilities to/from
>      a running process.
>
>      This seems to be the easiest, except that the kernel in the
>      default configuration doesn't permit this (cap_bound doesn't
>      contain CAP_SETPCAP which is requirement of a succesful
>      capset() where the target is not the current process.
>
>      The simplies workaround would be to set CAP_SETPCAT in
>      cap_bound (requires to recompile the kernel, for cap_bset
>      cannot be extended by anyone except pid == 1 (init)).
>      However, I don't see clearly the implications this
>      modification would cause, and I don't really want to risk
>      it.

I did this some time ago with a simple wrapper script around init:

---8<--cut here---
#! /bin/sh
if test $$ -eq 1; then
        mount /proc
        echo -1 >/proc/sys/kernel/cap-bound
fi

exec /sbin/init.bin "$@"
---cut here-->8---

Regards, Olaf.

Reply to:

References:
- capabilities
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>

Prev by Date: capabilities
Next by Date: Re: activating an unconfigured interface using /etc/network/interfaces...?
Previous by thread: capabilities
Next by thread: Re: capabilities
Index(es):
- Date
- Thread