From: Nick Craig-Wood (ncw1_at_axis.demon.co.uk)
Date: Mon Apr 08 2002 - 08:07:22 EDT
I thought you guys might be interested in this in that it playing with
similar parts of the kernel to vserver :-
http://freshmeat.net/projects/pam_capability/
Which is a module implementing capabilities for users via PAM.
Of particular interest it somes with a kernel patch which I include
verbatim here - maybe some co-operation between the two projects would
be a good idea?
...
diff -ruN linux-2.4.18-pure/Documentation/Configure.help linux-2.4.18-capfix/Documentation/Configure.help
--- linux-2.4.18-pure/Documentation/Configure.help Mon Feb 25 11:37:51 2002
+++ linux-2.4.18-capfix/Documentation/Configure.help Tue Apr 2 07:24:32 2002
@@ -3690,6 +3690,22 @@
building a kernel for install/rescue disks or your system is very
limited in memory.
+Inherit Capabilities Across Exec
+CONFIG_INHERIT_CAPS_ACROSS_EXEC
+ Allow non-root users to pass on capabilities when they exec
+ binaries. When this feature is used in combination with a
+ user-level capability assignment mechanism (e.g. pam_capability)
+ it can significantly reduce the amount of time that users need
+ to run as root.
+
+ Note that this is a temporary solution to the larger
+ problem of implementing full support for capabilities in
+ the Linux virtual file system layer.
+
+ You should say N here unless you know what this is and know
+ that you want to use it.
+
+
# Choice: kcore
Kernel core (/proc/kcore) format
CONFIG_KCORE_ELF
diff -ruN linux-2.4.18-pure/arch/i386/config.in linux-2.4.18-capfix/arch/i386/config.in
--- linux-2.4.18-pure/arch/i386/config.in Mon Feb 25 11:37:52 2002
+++ linux-2.4.18-capfix/arch/i386/config.in Tue Apr 2 07:24:32 2002
@@ -258,6 +258,9 @@
bool 'System V IPC' CONFIG_SYSVIPC
bool 'BSD Process Accounting' CONFIG_BSD_PROCESS_ACCT
bool 'Sysctl support' CONFIG_SYSCTL
+if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ bool 'Inherit Capabilities Across Exec' CONFIG_INHERIT_CAPS_ACROSS_EXEC
+fi
if [ "$CONFIG_PROC_FS" = "y" ]; then
choice 'Kernel core (/proc/kcore) format' \
"ELF CONFIG_KCORE_ELF \
diff -ruN linux-2.4.18-pure/fs/exec.c linux-2.4.18-capfix/fs/exec.c
--- linux-2.4.18-pure/fs/exec.c Fri Dec 21 09:41:55 2001
+++ linux-2.4.18-capfix/fs/exec.c Tue Apr 2 07:24:32 2002
@@ -644,6 +644,29 @@
cap_clear(bprm->cap_permitted);
cap_clear(bprm->cap_effective);
+#ifdef CONFIG_INHERIT_CAPS_ACROSS_EXEC
+ /* allow non-root users to pass on capabilities
+ * when they exec binaries. we leave all capabilities
+ * cleared if cap_setpcap is set in any of the capability
+ * sets as a marker to indicate that an application did not
+ * call sys_capset via * cap_set_proc.
+ *
+ * NB: this means that non-root users can never be granted
+ * cap_setpcap. This isn't necessarily * a bad thing.
+ *
+ * NB: we use cap_inheritable here so that login can set
+ * setuid/setgid in eff & perm for purposes of su, which
+ * can then go away silently.
+ */
+ if ( (current->euid != 0 || issecure(SECURE_NOROOT)) &&
+ !(cap_raised(current->cap_inheritable,CAP_SETPCAP)) &&
+ !(cap_raised(current->cap_effective,CAP_SETPCAP)) &&
+ !(cap_raised(current->cap_permitted,CAP_SETPCAP)) ) {
+ bprm->cap_permitted = current->cap_inheritable;
+ bprm->cap_effective = current->cap_inheritable;
+ }
+#endif
+
/* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we raise all three
* capability sets for the file.
-- Nick Craig-Wood ncw1_at_axis.demon.co.uk
This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT