Re: [PATCH] sysctl: allow override of /proc/sys/net withCAP_NET_ADMIN

[Stephen Hemminger]

On Fri, 30 May 2008 18:59:26 -0700
ebiederm@xxxxxxxxxxxx (Eric W. Biederman) wrote:

> Stephen Hemminger <shemminger@xxxxxxxxxx> writes:
> 
> > Extend the permission check for networking sysctl's to allow
> > modification when current process has CAP_NET_ADMIN capability and
> > is not root. This version uses the until now unused permissions hook
> > to override the mode value for /proc/sys/net if accessed by a user
> > with capabilities.
> 
> Looks reasonable but a little incomplete.
> 
> Could you modify register_net_sysctl_table to set this attribute?
> Or alternatively all of the tables registered with register_net_sysctl.
> 
> Otherwise I this will not affect all of the sysctls under
> /proc/sys/net.  Which appears to be your intent.
> 
> > Found while working with Quagga. It is impossible to turn forwarding
> > on/off through the command interface because Quagga uses secure coding
> > practice of dropping privledges during initialization and only raising
> > via capabilities when necessary. Since the dameon has reset real/effective
> > uid after initialization, all attempts to access /proc/sys/net variables
> > will fail. 
> 
> Eric

Unnecessary, it is a property of the root, and there is only one call to register_sysctl_root
in the current code, and that registers the net_sysctl_root structure.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/