Re: Is CAP_SYS_ADMIN checked by every program !?

[Kyle Moffett]

On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> It seems to me that every program calls capable(CAP_SYS_ADMIN),

Umm, the program has nothing to do with this.  Programs themselves have 
no
access to the kernel function "capable".  Probably something in the 
kernel, perhaps
triggered by libc or maybe just suid checks, is checking for 
CAP_SYS_ADMIN. It's
harmless and irrelevant, why do you care?

> +       if (cap == CAP_SYS_ADMIN) {
> +               static pid_t last_pid = 0;
> +               if (current->pid != last_pid) {
> +                       printk("euid=%d uid=%d %s %s\n", 
> current->euid, current->uid, cap_raised(current->cap_effective, 
> CAP_SYS_ADMIN) ? "true" : "fa
> lse", current->comm);
> +                       last_pid = current->pid;
> +               }
> +       }

Yes, whenever anything on the computer, including the kernel, checks if 
a program
has a capability bit set, it will print out whether or not it does in 
the dmesg.  Why
does that matter?

> I can't understand why every program checks for CAP_SYS_ADMIN .
Programs aren't, the kernel is, for whatever reason.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r  
!y?(-)
------END GEEK CODE BLOCK------


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/