Quoting Aaron Jones (aaronmdjo...@gmail.com):
>
> Hello.
>
> I recently upgraded from 3.10.7 on a long-running box to 3.12.8 on a
> new box. I have been using file capabilities for a long time, so that
> processes do not need to start as root and drop unnecessary privileges
> later.
>
> For example, there is no reason for my bind9 nameservers to start as
> root, except to bind() port 53 and 953. What I did in this case was to
> chown it to root:named and chmod it to 0750 and assign
> CAP_NET_BIND_SERVICE to it, it then starts as named and works fine.
>
> I haven't had any issues with this for easily a year, until now. No
> matter what I do on this new machine, I cannot get file capabilities
> to 'work'. They are set fine, they are read back fine, but they don't
> do anything. I have attached my kernel boot log, its configuration and
> a test program (build with -std=c99 -lcap-ng).
>
> My problem follows:
>
> # strace -f setcap cap_net_bind_service+eip /usr/local/bin/caps 2>&1 \
> | grep xattr
> setxattr("/usr/local/bin/caps", "security.capability", \
> "\x01\x00\x00\x02\x00\x04\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \
> \x00\x00\x00\x00", 20, 0) = 0
>
> # getcap /usr/local/bin/caps
> /usr/local/bin/caps = cap_net_bind_service+eip
>
> $ /usr/local/bin/caps
> Effective capabilities: (none)
> Permitted capabilities: (none)
Hm, I'm running Ubuntu 3.13.0-5-generic and I do get
serge@tp:~/test$ ./caps
Effective capabilities:
net_bind_service
Permitted capabilities:
net_bind_service
Any chance (grasping for straws here) that the hardening patches are
interfering? Can you try hand-building an upstream kernel to test
with?
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
