Re: capable open_port() check wrong for kmem

From: carbonated beverage (
Date: Wed Dec 11 2002 - 20:38:49 EST

On Wed, Dec 11, 2002 at 04:43:48PM -0800, Chris Wright wrote:
> If you have only one capability (CAP_SYS_RAWIO), you are not owner of
> /dev/kmem, you are in group kmem, and /dev/kmem is 0640, then all you will
> get is read-only access to /dev/kmem. This does not require kernel changes.

So if I want to have a generic utility that can be used by any user (and
I'm not granting CAP_SYS_RAWIO to every process), then I can:

1) make it suid root
2) drop all caps other than cap_sys_rawio


1) add the capability to the executable, assuming it worked...

Script started on Wed Dec 11 17:29:14 2002
UB6IB9:/home/ramune/src/hack# setcap 'cap_sys_rawio=eip' ./a.out
Failed to set capabilities on file `./a.out'
 (Function not implemented)
usage: setcap [-q] (-|<caps>) <filename> [ ... (-|<capsN>) <filenameN> ]
UB6IB9:/home/ramune/src/hack# mount
/dev/hda1 on / type ext3 (rw)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
UB6IB9:/home/ramune/src/hack# uname -a
Linux UB6IB9 2.4.20 #1 Sat Nov 30 20:51:01 PST 2002 i586 unknown
Script done on Wed Dec 11 17:29:31 2002

So, what am I missing?

I just have to make it suid root if I wanna use it on 2.4.x? Or is there
a problem with my setup causing setcap to fail?

-- DN
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Dec 15 2002 - 22:00:24 EST