-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > libcap-2.0 is for 64-bit capabilities which are currently > only in -mm. So switch your kernel to 2.6.24-rc5-mm1, or > use the latest libcap-1.x. > > I actually confused myself the same way two weeks ago or > so :) > > It almost seems worth it to have libcap-2.x use 32-bit file > capabilities so long as no capabilities above 31 need to > be set, just to avoid gratuitous headaches until 2.6.25. > Andrew, what do you think?
[I think, I've been traveling too long.] Can you try replacing the libcap/include/linux/capability.h file with the one from your kernel? And then make clean/make ? This may work, but it may also break horribly... I'll see if I can reproduce all this and get things working on my laptop. Cheers Andrew > > -serge > > Quoting Chris Friedhoff ([EMAIL PROTECTED]): >> Hello, >> >> I'm (still) updating my documentation on >> http://www.friedhoff.org/fscaps.html. >> >> I just learned, that KaiGai has taken his userspace tools offline and >> Andrews tools are updated and are now the prefered one. >> >> But I have a problem ... >> >> I tried it with 2.6.24-rc5 and 2.6.24-rc6 and with libcap 2.00, 2.01, >> 20071203 (newest in git) on an 32 bit System >> >> setcap sets according to attr the capability attribute with 20 byte, >> whereby setfcaps sets a 12 byte value. >> getcap can read the value set by setfcaps but not by setcap. >> Executing a by setcap "capability enabled" binary gives an "Invalid argumet" >> error. >> What am I missing? >> >> Thanks >> Chris >> >> >> Commands executed on a shell: >> ----------------------------- >> >> When I try to set a capability: >> ------------------------------- >> >> $ sudo libcap-2.01/progs/setcap cap_net_raw=ep ping >> $ echo $? >> 0 >> I get: >> $ attr -l ping >> Attribute "capability" has a 20 byte value for ping >> $ libcap-2.01/progs/getcap ping >> Failed to get capabilities for file `ping' (Invalid argument) >> ./ping localhost >> bash: ./ping: Invalid argument >> >> But when I use KaiGai's tool: >> ----------------------------- >> >> $ sudo setfcaps -c cap_net_raw=p -e ping >> $ attr -l ping >> Attribute "capability" has a 12 byte value for ping >> $ libcap-2.01/progs/getcap ping >> $ ./ping localhost (works also) >> >> >> strace outputs: >> --------------- >> >> strace output without needed privileges >> --------------------------------------- >> >> $ ls -l libcap-2.01/progs/setcap >> -rwxr-xr-x 1 chris users 611672 Dec 23 14:02 libcap-2.01/progs/setcap >> $ >> $ strace libcap-2.01/progs/setcap cap_net_raw=ep ping >> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", >> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 >> uname({sys="Linux", node="apollo", ...}) = 0 >> brk(0) = 0x80ca000 >> brk(0x80cacb0) = 0x80cacb0 >> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, limit:1048575, >> seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, >> seg_not_present:0, useable:1}) = 0 >> brk(0x80ebcb0) = 0x80ebcb0 >> brk(0x80ec000) = 0x80ec000 >> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) >> capget(0x19980330, 0, {0, 0, 0}) = 0 >> capset(0x19980330, 0, {0x80000000 /* CAP_??? */, 0, 0}) = -1 EPERM >> (Operation not permitted) >> dup(2) = 3 >> fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) >> fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 >> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = >> 0xb7f14000 >> _llseek(3, 0, 0xbff51724, SEEK_CUR) = -1 ESPIPE (Illegal seek) >> write(3, "unable to set CAP_SETFCAP effect"..., 72unable to set CAP_SETFCAP >> effective capability: Operation not permitted >> ) = 72 >> close(3) = 0 >> munmap(0xb7f14000, 4096) = 0 >> brk(0x80eb000) = 0x80eb000 >> exit_group(1) = ? >> Process 3718 detached >> >> >> strace output with root owned suid bit binary >> --------------------------------------------- >> -rwsr-xr-x 1 root root 611672 Dec 23 14:02 libcap-2.01/progs/setcap* >> $ >> $ strace libcap-2.01/progs/setcap cap_net_raw=ep ping >> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", >> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 >> uname({sys="Linux", node="apollo", ...}) = 0 >> brk(0) = 0x80ca000 >> brk(0x80cacb0) = 0x80cacb0 >> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, limit:1048575, >> seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, >> seg_not_present:0, useable:1}) = 0 >> brk(0x80ebcb0) = 0x80ebcb0 >> brk(0x80ec000) = 0x80ec000 >> access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or >> directory) >> fcntl64(0, F_GETFD) = 0 >> fcntl64(1, F_GETFD) = 0 >> fcntl64(2, F_GETFD) = 0 >> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) >> capget(0x19980330, 0, {0, 0, 0}) = 0 >> capset(0x19980330, 0, {0x80000000 /* CAP_??? */, 0, 0}) = -1 EPERM >> (Operation not permitted) >> dup(2) = 3 >> fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) >> fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 >> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = >> 0xb7f99000 >> _llseek(3, 0, 0xbf9b0984, SEEK_CUR) = -1 ESPIPE (Illegal seek) >> write(3, "unable to set CAP_SETFCAP effect"..., 72unable to set CAP_SETFCAP >> effective capability: Operation not permitted >> ) = 72 >> close(3) = 0 >> munmap(0xb7f99000, 4096) = 0 >> brk(0x80eb000) = 0x80eb000 >> exit_group(1) = ? >> Process 3724 detached >> >> >> and the same as root >> -------------------- >> strace libcap-2.01/progs/setcap cap_net_raw=ep ping >> execve("libcap-2.01/progs/setcap", ["libcap-2.01/progs/setcap", >> "cap_net_raw=ep", "ping"], [/* 55 vars */]) = 0 >> uname({sys="Linux", node="apollo", ...}) = 0 >> brk(0) = 0x80ca000 >> brk(0x80cacb0) = 0x80cacb0 >> set_thread_area({entry_number:-1 -> 6, base_addr:0x80ca830, limit:1048575, >> seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, >> seg_not_present:0, useable:1}) = 0 >> brk(0x80ebcb0) = 0x80ebcb0 >> brk(0x80ec000) = 0x80ec000 >> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) >> capget(0x19980330, 0, >> {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, >> >> CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, >> 0}) = 0 >> capset(0x19980330, 0, >> {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, >> >> CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|0xf8000000, >> 0}) = 0 >> capget(0x19980330, 0, NULL) = -1 EINVAL (Invalid argument) >> setxattr("ping", "security.capability", "\x01\x00\x00\x01\x00 >> \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1aW\xe4\xbf", 20, 0) = 0 >> exit_group(0) = ? >> Process 3727 detached >> >> >> >> >> >> -------------------- >> Chris Friedhoff >> [EMAIL PROTECTED] >> - >> To unsubscribe from this list: send the line "unsubscribe >> linux-security-module" in >> the body of a message to [EMAIL PROTECTED] >> More majordomo info at http://vger.kernel.org/majordomo-info.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHcBZymwytjiwfWMwRAh81AKCBXno9bCN5nc71EQ+OjEQJviLWvQCeNsvY 41fruTAKsT/YbG9lryQwgKI= =YDjx -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
