[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] filesystem capabilities
From:       Daniel J Walsh <dwalsh () redhat ! com>
Date:       2010-11-18 20:25:18
Message-ID: 4CE58BAE.5080105 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/18/2010 01:56 PM, Kees Cook wrote:
> Hi Steve,
> 
> On Wed, Nov 10, 2010 at 02:55:47PM -0500, Steve Grubb wrote:
>> drop all privs is a 2 liner:
>> capng_clear(CAPNG_SELECT_CAPS);
>> if (capng_apply(CAPNG_SELECT_CAPS))
>> 	exit(0);
>>
>> Not sure anything that small needs a library function.
> 
> Well, yeah, if it's just caps, I'd agree, but I'm failing to describe what
> I mean. :)
> 
> For the transition from setuid to fscaps, there will be a time where
> distros may ship a program with both setuid-root and fscaps. (Some
> stacked filesystems, for example, don't support fscaps.) In these
> situations, it would be nice to have a single library-based routine that
> all of these programs can call that will basically do the following:
> 
> - remember if I'm running setuid
> - drop all but needed caps
> - if I was setuid, drop uid back to real uid
> 
> That way the sensitive code isn't cut/pasted into lots of programs, just
> they all call out to a single place, and everything gets it right,
> regardless of them being setuid or fscap.
> 
>> I asked the maintainer if he's had any discussion [about upstreaming
>> the tar xattr patches] lately.
> 
> Any news here?
> 
>>> Has there been any discussion of making rsync, cp, and cpio default to
>>> copying xattrs and acls too? I know at least with rsync they are explicitly
>>> not included in the "-a" option. :(
>>
>> My rsync man page shows a -X option and cp has a --preserve=xattr. cpio doesn't but no 
>> one seems to have been missing that.
> 
> Right, but I mean, it seems like it would be valuable to make these options
> _part_ of -a when currently they are explicitly not included.
> 
> -Kees
> 

Something like this works in both setuid and fscap systems.

/**
 * This function will drop all capabilities
 * Returns zero on success, non-zero otherwise
 */
static int drop_capabilities(uid_t uid)
{
	capng_clear(CAPNG_SELECT_BOTH);
	if (capng_lock() < 0)
		return -1;

	/* Change uid */
	if (setresuid(uid, uid, uid)) {
		fprintf(stderr, _("Error changing uid, aborting.\n"));
		return -1;
	}
	return capng_apply(CAPNG_SELECT_BOTH);
}

If you are in filecaps, your current UID is the same as what you call
setresuid with, and it becomes a noop.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzli64ACgkQrlYvE4MpobNK9QCeIL/t5x1RZyfFaFv4McI4lriC
BiQAnAiM0z4wXkYZTvgrSUekVW4fuCkV
=SIkj
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]