Debian Bug report logs -
#439873
libcap-bin: sucap not useful on 2.6 kernels?
Reported by: Steve Langasek <vorlon@debian.org>
Date: Tue, 28 Aug 2007 06:33:02 UTC
Severity: important
Found in version libcap/1:1.10-14
Done: Torsten Werner <twerner@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Michael Vogt <mvo@debian.org>:
Bug#439873; Package libcap-bin.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
New Bug report received and forwarded. Copy sent to Michael Vogt <mvo@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcap-bin
Version: 1:1.10-14
Severity: important
Hi Michael,
I've been trying to evaluate the status of the POSIX capability patch that's
included in the Debian PAM package in relation to bug #153157, and I'm
having some serious doubts that the libcap-bin programs actually work:
$ su
Password:
# /sbin/getpcaps $$
Capabilities for `13995': =ep cap_setpcap-ep
# sucap vorlon vorlon /bin/bash
Caps: =ep cap_setpcap-ep
Caps: =
[debug] uid:1000, real uid:1000
sucaps: capsetp: Operation not permitted
sucap: child did not exit cleanly.
#
Is this related to the fact that all of these processes seem to have an
empty set of inheritable capabilities? Is it a general problem of
capabilities support in recent kernels?
From what I see, if I can't set an inheritable capability, capability
support in pam_limits isn't much use and should be dropped.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Michael Vogt <mvo@debian.org>:
Bug#439873; Package libcap-bin.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Vogt <mvo@debian.org>.
(full text, mbox, link).
Message #10 received at 439873@bugs.debian.org (full text, mbox, reply):
Here's a different attempt:
# execcap "all+eip cap_setpcap-eip" /bin/bash
# /sbin/getpcaps $$
Capabilities for `15044': =eip cap_setpcap-eip
# sucap vorlon vorlon /bin/bash
Caps: =eip cap_setpcap-eip
Caps: =i cap_setpcap-i
[debug] uid:1000, real uid:1000
sucaps: capsetp: Operation not permitted
sucap: child did not exit cleanly.
#
So as root I can manually spawn a shell that has the inheritable bits set,
but when running sucap, *only* the inheritable bits are copied, the
effective/permitted bits are not, so trying to set them in the child process
fails. Looks broken to me?
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply sent
to mail.twerner@googlemail.com:
You have taken responsibility.
(Sun, 22 Mar 2009 20:15:02 GMT) (full text, mbox, link).
Notification sent
to Steve Langasek <vorlon@debian.org>:
Bug acknowledged by developer.
(Sun, 22 Mar 2009 20:15:03 GMT) (full text, mbox, link).
Message #15 received at 439873-done@bugs.debian.org (full text, mbox, reply):
Hi,
the binaries mentioned in the bug report are obsolete and no longer
shipped in libcap2. The old package libcap will be removed soon from
Debian unstable.
Cheers,
Torsten
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Apr 2009 07:37:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jul 3 05:18:11 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.