On Friday October 3 2008 12:39:01 am Robert Connolly wrote: > On Friday October 3 2008 12:12:15 am Robert Connolly wrote: > > Another suid-root dropped: > > > > chmod -s /bin/su > > setcap CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID=ep /bin/su > > > > robert > > /bin/su seems to want to reset the gid, and probably the uid, of > /etc/shadow, according to Strace. > > Regardless of the comments in /usr/include/linux/capability.h, it looks > like CAP_DAC_READ_SEARCH allows writting to /etc/shadow. > > If I remove CAP_DAC_READ_SEARCH, and make /etc/shadow group > read/writable, /bin/su works. Each has pros and cons, and I don't know > which is better. > > This might be a bug in CAP_DAC_READ_SEARCH... somehow FOWNER was mixed in. > > Opinions, debug help? > > robert
Sorry, but to clarify, if /bin/su has CAP_DAC_READ_SEARCH, the permissions on /etc/shadow can remain read-only by root. Removing CAP_DAC_READ_SEARCH gives a setgid error... strace isn't clear, but i think the error is caused by /ets/shadow's write permissions. robert
pgpjpFb05q6X6.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
