Alon Zahavi: > For example - AWS EC2 Ubuntu 20.04 with aufs-tools installed. > > 1. Mount a device to any folder. > 2. Copy any file with capabilities into that folder. > 3. Remount the device now with nosuid and ro options. > 4. mount a AUFS mount where there are two branches. Make sure the > "lower" branch is the branch with the capable file. > > Execution: > > 1. As a low-priv user cd into the AUFS root. > 2. Execute mv capable_file _cp_capble_file > 3. cd to the higher branch directory. > 4. Execute the capable binary. > > Expected Results: > > When copying a capable file using a low privileged user, the file should be > copied without any file capabilities.
It is hard for me to reproduce the problem. Here is what I am trying. ---------------------------------------- Linux jrotkm 5.14.0-rc7aufsD+ #397 SMP Mon Aug 23 16:04:40 JST 2021 x86_64 GNU/Linux /dev/ram1 /dev/shm/ro ext2 ro,nosuid,relatime,errors=continue,user_xattr,acl 0 0 /dev/ram0 /dev/shm/rw ext3 rw,relatime,stripe=4 0 0 none /dev/shm/u aufs rw,relatime,si=66cd80fe38e1ad6a 0 0 + cat /sys/fs/aufs/si_66cd80fe38e1ad6a/br0 /sys/fs/aufs/si_66cd80fe38e1ad6a/br1 /dev/shm/rw=rw /dev/shm/ro=ro + cd .. + getcap -v ro/true2 u/true2 ro/true2 = cap_sys_admin+ep u/true2 = cap_sys_admin+ep # case 1: "cp" drops the file capability + cp u/true2 u/trueA + getcap -v rw/trueA u/trueA rw/trueA u/trueA # case 2: "cp -a" also drops the file capability + cp -a u/true2 u/trueB + getcap -v rw/trueB u/trueB rw/trueB u/trueB # case 3: "sudo cp" also drops the file capability + sudo cp u/true2 u/trueC + getcap -v rw/trueC u/trueC rw/trueC u/trueC # case 4: "sudo cp -a" keeps the file capability + sudo cp -a u/true2 u/trueD + getcap -v rw/trueD u/trueD rw/trueD = cap_sys_admin+ep u/trueD = cap_sys_admin+ep # case 5: simple copy-up keeps the file capability + touch ./true2 + getcap -v ro/true2 u/true2 ro/true2 = cap_sys_admin+ep u/true2 = cap_sys_admin+ep ---------------------------------------- All these behaviours look correct. What am I missing? J. R. Okajima
