Correction...
On 09.11.2013 18:12, Lukas Erlacher wrote:
> Hello,
>
> my first post to the debian user list for a quite vexing issue. I'm running
> debian squeeze.
>
I'm running wheezy, of course.
root@leda:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.2 (wheezy)
Release: 7.2
Codename: wheezy
> I'm trying to get capabilities working along the lines of
> blog.fpmurphy.com/2009/05/linux-security-capabilities.html.
>
> I installed libcap2 (1:2.22-1.2), libcap2-bin (1:2.22-1.2), and
> libpam-cap(1:2.22-1.2), and edited /etc/security/capbilities.conf in order to
> give the user luke the cap_net_raw capability.
>
> Everything seems set up correctly according to this check:
>
> luke@leda:~$ /sbin/capsh --decode=$(grep CapInh /proc/$$/status|awk '{print
> $2}')
> 0x0000000000002000=cap_net_raw
>
> However, actually using the capability with a copy of the ping binary is
> impossible:
>
> luke@leda:~$ ls -al ./ping
> -rwxr-xr-x 1 luke luke 36136 Nov 9 17:18 ./ping
> luke@leda:~$ /sbin/getcap ./ping
> ./ping = cap_net_raw+ip
> luke@leda:~$ ./ping localhost
> ping: icmp open socket: Operation not permitted
>
> As one can see, cap_net_raw is the capability required, since directly
> putting it into the effective capabilities works:
>
> root@leda:~# setcap cap_net_raw=pie /home/luke/ping
> luke@leda:~$ ./ping localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.019 ms
>
> My google-fu has failed to turn up anything other than an old bug report that
> didn't go anywhere: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633991
>
> Any help or pointers muchly appreciated.
>
> Best regards,
> Luke.
>
>
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527eee41.5050...@lerlacher.de
