libpam-cap not working

To: debian-user@lists.debian.org
Subject: libpam-cap not working
From: Lukas Erlacher <lists+debian@lerlacher.de>
Date: Sat, 09 Nov 2013 18:12:50 +0100
Message-id: <[🔎] 527E6D12.9020805@lerlacher.de>

Hello,

my first post to the debian user list for a quite vexing issue. I'm running debian squeeze.

I'm trying to get capabilities working along the lines of blog.fpmurphy.com/2009/05/linux-security-capabilities.html.

I installed libcap2 (1:2.22-1.2), libcap2-bin (1:2.22-1.2), and libpam-cap(1:2.22-1.2), and edited /etc/security/capbilities.conf in order to give the user luke the cap_net_raw capability.

Everything seems set up correctly according to this check:

luke@leda:~$ /sbin/capsh --decode=$(grep CapInh /proc/$$/status|awk '{print $2}')
0x0000000000002000=cap_net_raw

However, actually using the capability with a copy of the ping binary is impossible:

luke@leda:~$ ls -al ./ping 
-rwxr-xr-x 1 luke luke 36136 Nov  9 17:18 ./ping
luke@leda:~$ /sbin/getcap ./ping
./ping = cap_net_raw+ip
luke@leda:~$ ./ping localhost
ping: icmp open socket: Operation not permitted

As one can see, cap_net_raw is the capability required, since directly putting it into the effective capabilities works:

root@leda:~# setcap cap_net_raw=pie /home/luke/ping
luke@leda:~$ ./ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.019 ms

My google-fu has failed to turn up anything other than an old bug report that didn't go anywhere: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633991

Any help or pointers muchly appreciated.

Best regards,
Luke.

Reply to:

Follow-Ups:
- Re: libpam-cap not working
  - From: Lukas Erlacher <lists+debian@lerlacher.de>

Prev by Date: Re: Why Debian
Next by Date: Re: Weird boot problem. How can this be?
Previous by thread: Re: Weird boot problem. How can this be?
Next by thread: Re: libpam-cap not working
Index(es):
- Date
- Thread