package lcap
clone 312948 -1
retitle 312948 lcap: Should warn when capabilities are not enforced
retitle -1 lcap: Produces wrong output when CAP_SYS_MODULE is removed
thanks
Capabilities do in fact change when running lcap - even if capability.ko
isn't loaded. That is, /proc/sys/kernel/cap-bound value changes - the
removed capabilities are actually enforced after running modprobe
capability.ko (the order does not matter).
The other issue you're reporting occurs only when removing
CAP_SYS_MODULE. After that, reading /proc/sys/kernel/cap-bound fails
with EPERM (operation not permitted). lcap doesn't properly handle the
error and produces a wrong output.
The attached patch fixes the second issue. Note that I've also moved
usage() checks before the attempts to read cap-bound, I think it's saner
that way.
Regards,
Faidon
diff -Nur lcap-0.0.6/lcap.c lcap-void/lcap.c
--- lcap-0.0.6/lcap.c 2005-08-15 09:04:31.000000000 +0300
+++ lcap-void/lcap.c 2005-08-15 08:59:37.000000000 +0300
@@ -184,16 +186,6 @@
int option;
short checkflag=0, errorflag=0, verboseflag=0, zeroflag=0;
- /* open the /proc file */
- if ((fptr=fopen(PROC_CAP, "r")) == NULL)
- {
- perror(PROC_CAP);
- exit(errno);
- };
- /* snag the current setting */
- fscanf(fptr, "%d", &caps);
- fclose(fptr);
-
while ((option=getopt(argc, argv, "chvz")) != -1)
{
switch (option)
@@ -222,6 +214,20 @@
exit(1);
};
+ /* open the /proc file */
+ if ((fptr=fopen(PROC_CAP, "r")) == NULL)
+ {
+ perror(PROC_CAP);
+ exit(errno);
+ };
+ /* snag the current setting */
+ if ((fscanf(fptr, "%d", &caps)) == EOF)
+ {
+ perror(PROC_CAP);
+ exit(errno);
+ };
+ fclose(fptr);
+
if (argc == 1)
{
listcaps(caps);
