On Wed, 9 Feb 2000, Peter Benie wrote:
> I've tried to use capabilities to run xntpd without excessive privilege.
> Not surprisingly, the only capabiity xntpd requires is cap_sys_time.
>
> For this change to be useful, xntpd needs to run as a uid other than
> 0, otherwise it can overwrite files owned by root, regardless of what
> capabilities it has. This is no big deal - we just have to call setuid
> to change uid.
>
> Here's the problem - if you have any programs that don't understand
> capabities, you have to run without SECURE_NO_SETUID_FIXUP or else
> they won't throw away privilege correctly. In that mode, changing to a
I have a patch for this. In fact I've had it for a while. I _must_ get
around to submitting it to Linus ;-)
I discussed the issue with the capabilities maintainer (Andrew Morgan) and
we decided upon a simple solution;
If a process has its capabilities changed via sys_capset(), it is marked
as capability aware. When a "capability aware" process does setuid(0 ->
!=0), capabilities are not cleared. The "capability aware" flag is cleared
on exec().
Let me know if this solution meets your needs, or if you have any other
comments. One possible tweak I would consider is setting "capability
aware" explicitly via prctl() rather than implicitly via sys_capset(),
although that shouldn't be required.
I've tested the solution. Im very glad to hear you are de-privving
xntpd. I'd like to see that change in distributions ASAP! People
de-privving bind (thank God) have also hit this issue
Awaiting your reply then I will stop delaying getting this important fix
into the kenrel.
Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:15 EST