On Tue, Oct 29, 2024 at 02:14:40PM +0000, Simon McVittie wrote:
> Running as
>
> setpriv --bounding-set -SYS_ADMIN adduser somebody
>
> in a Debian sid VM with systemd init seems to be a sufficient reproducer
> for this.
Thank you very much, that was helpful advice. Do you have a less clumsy
way to check for SYS_ADMIN privilege than doing:
open my $fh, '<', '/proc/self/status' or die "Can't open /proc/self/status: $!";
my $has_sys_admin = 0;
while (my $line = <$fh>) {
if ($line =~ /^CapEff:\s+[0-9a-fA-F]{10}([0-9a-fA-F]+)/) {
my $cap_eff = hex($1);
# Check if the CAP_SYS_ADMIN bit (21st bit) is set using
bit-shift
$has_sys_admin = $cap_eff & (1 << 21);
last;
}
}
close $fh;
parsing setpriv --dump output seems even more clumsy, capsh dito (and
it's not in the base system install), and I didn't find
POSIX::capability in Debian (and not in the base system install either).
Greetings
Marc
