[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libpam-cap not working



Correction...

On 09.11.2013 18:12, Lukas Erlacher wrote:
> Hello,
> 
> my first post to the debian user list for a quite vexing issue. I'm running debian squeeze.
> 

I'm running wheezy, of course.

root@leda:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 7.2 (wheezy)
Release:	7.2
Codename:	wheezy

> I'm trying to get capabilities working along the lines of blog.fpmurphy.com/2009/05/linux-security-capabilities.html.
> 
> I installed libcap2 (1:2.22-1.2), libcap2-bin (1:2.22-1.2), and libpam-cap(1:2.22-1.2), and edited /etc/security/capbilities.conf in order to give the user luke the cap_net_raw capability.
> 
> Everything seems set up correctly according to this check:
> 
> luke@leda:~$ /sbin/capsh --decode=$(grep CapInh /proc/$$/status|awk '{print $2}')
> 0x0000000000002000=cap_net_raw
> 
> However, actually using the capability with a copy of the ping binary is impossible:
> 
> luke@leda:~$ ls -al ./ping 
> -rwxr-xr-x 1 luke luke 36136 Nov  9 17:18 ./ping
> luke@leda:~$ /sbin/getcap ./ping
> ./ping = cap_net_raw+ip
> luke@leda:~$ ./ping localhost
> ping: icmp open socket: Operation not permitted
> 
> As one can see, cap_net_raw is the capability required, since directly putting it into the effective capabilities works:
> 
> root@leda:~# setcap cap_net_raw=pie /home/luke/ping
> luke@leda:~$ ./ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.019 ms
> 
> My google-fu has failed to turn up anything other than an old bug report that didn't go anywhere: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633991
> 
> Any help or pointers muchly appreciated.
> 
> Best regards,
> Luke.
> 
> 


Reply to: