-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[I've droped lkml]
KaiGai Kohei wrote:
>> But !cap_xxx is a bit misunderstandable for me. Someone may misunderstand
>> this line means any capabilities except for cap_xxx.
I like '!', but you're going to code it... ;-) I can live with b:.
>> Thus, I think that using "b:" and omittable "i:" prefix is better than "!".
>> In addition, what is your opinion about using "-b:" and "-i:" to represent
>> dropping capabilities currently they have?
I'd prefer something simple:
i: set inheritable exactly (don't retain any other than these)
b: drop exactly these (leave the others untouched)
>> There is one more uncertain case.
>> When a user belongs to several groups with capabilities configuration,
>> what capabilities are to be attached for the user?
>
>> e.g) When kaigai belong to @pingers and @paccters
>
>> b:cap_sys_pacct @paccters
>> b:cap_net_raw @pingers
>> -b:cap_dac_override,cap_net_raw kaigai
The pam_cap module currently just accepts the first valid 'i:'(sic)
entry for the user. Since groups are not supported, this made sense.
With support for groups, I can see a compelling case for "OR". So, if
you want to support an "OR" policy, I say go for it.
Cheers
Andrew
>
>> If we apply "OR" policy, kaigai get only cap_sys_pacct, because
>> he got cap_sys_pacct and cap_net_raw came from @paccters and @pingers
>> but cap_dac_override and cap_net_raw are dropped by the third line.
>
>> Thanks,
>
> Cheers
>
> Andrew
>
>>>> Thanks,
>>>>
>>>>> Cheers
>>>>>
>>>>> Andrew
>>>>>
>>>>> [EMAIL PROTECTED] wrote:
>>>>>> Quoting KaiGai Kohei ([EMAIL PROTECTED]):
>>>>>>> Serge E. Hallyn wrote:
>>>>>>>> The capability bounding set is a set beyond which capabilities
>>>>>>>> cannot grow. Currently cap_bset is per-system. It can be
>>>>>>>> manipulated through sysctl, but only init can add capabilities.
>>>>>>>> Root can remove capabilities. By default it includes all caps
>>>>>>>> except CAP_SETPCAP.
>>>>>>> Serge,
>>>>>>>
>>>>>>> This feature makes me being interested in.
>>>>>>> I think you intend to apply this feature for the primary process
>>>>>>> of security container.
>>>>>>> However, it is also worthwhile to apply when a session is starting
>>>>>>> up.
>>>>>>>
>>>>>>> The following PAM module enables to drop capability bounding bit
>>>>>>> specified by the fifth field in /etc/passwd entry.
>>>>>>> This code is just an example now, but considerable feature.
>>>>>>>
>>>>>>> build and install:
>>>>>>> # gcc -Wall -c pam_cap_drop.c
>>>>>>> # gcc -Wall -shared -Xlinker -x -o pam_cap_drop.so pam_cap_drop.o
>>>>>>> -lpam
>>>>>>> # cp pam_cap_drop.so /lib/security
>>>>>>>
>>>>>>> modify /etc/passwd as follows:
>>>>>>>
>>>>>>> tak:x:1004:100:cap_drop=cap_net_raw,cap_chown:/home/tak:/bin/bash
>>>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>>>> example:
>>>>>>> [EMAIL PROTECTED] ~]$ ping 192.168.1.1
>>>>>>> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
>>>>>>> 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.23 ms
>>>>>>> 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.02 ms
>>>>>>>
>>>>>>> --- 192.168.1.1 ping statistics ---
>>>>>>> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
>>>>>>> rtt min/avg/max/mdev = 1.023/1.130/1.237/0.107 ms
>>>>>>>
>>>>>>> [EMAIL PROTECTED] ~]$ ssh [EMAIL PROTECTED]
>>>>>>> [EMAIL PROTECTED]'s password:
>>>>>>> Last login: Sat Dec 1 10:09:29 2007 from masu.myhome.cx
>>>>>>> [EMAIL PROTECTED] ~]$ export LANG=C
>>>>>>> [EMAIL PROTECTED] ~]$ ping 192.168.1.1
>>>>>>> ping: icmp open socket: Operation not permitted
>>>>>>>
>>>>>>> [EMAIL PROTECTED] ~]$ su
>>>>>>> Password:
>>>>>>> pam_cap_bset[6921]: user root does not have 'cap_drop=' property
>>>>>>> [EMAIL PROTECTED] tak]# cat /proc/self/status | grep ^Cap
>>>>>>> CapInh: 0000000000000000
>>>>>>> CapPrm: 00000000ffffdffe
>>>>>>> CapEff: 00000000ffffdffe
>>>>>>> [EMAIL PROTECTED] tak]#
>>>>>> Neat. A bigger-stick version of not adding the account to
>>>>>> group wheel. I'll use that.
>>>>>>
>>>>>> Is there any reason not to have a separate /etc/login.capbounds
>>>>>> config file, though, so the account can still have a full name?
>>>>>> Did you only use that for convenience of proof of concept, or
>>>>>> is there another reason?
>>>>>>
>>>>>>> # BTW, I replaced the James's address in the Cc: list,
>>>>>>> # because MTA does not accept it.
>>>>>> Thanks! I don't know what happened to my alias for him...
>>>>>>
>>>>>> thanks,
>>>>>> -serge
>>>>>>
>>>>>>> --
>>>>>>> KaiGai Kohei <[EMAIL PROTECTED]>
>>>>>>>
>>>>>>> ************************************************************
>>>>>>> pam_cap_drop.c
>>>>>>> ************************************************************
>>>>>>>
>>>>>>> /*
>>>>>>> * pam_cap_drop.c module -- drop capabilities bounding set
>>>>>>> *
>>>>>>> * Copyright: 2007 KaiGai Kohei <[EMAIL PROTECTED]>
>>>>>>> */
>>>>>>>
>>>>>>> #include <errno.h>
>>>>>>> #include <pwd.h>
>>>>>>> #include <stdlib.h>
>>>>>>> #include <stdio.h>
>>>>>>> #include <string.h>
>>>>>>> #include <syslog.h>
>>>>>>> #include <sys/prctl.h>
>>>>>>> #include <sys/types.h>
>>>>>>>
>>>>>>> #include <security/pam_modules.h>
>>>>>>>
>>>>>>> #ifndef PR_CAPBSET_DROP
>>>>>>> #define PR_CAPBSET_DROP 24
>>>>>>> #endif
>>>>>>>
>>>>>>> static char *captable[] = {
>>>>>>> "cap_chown",
>>>>>>> "cap_dac_override",
>>>>>>> "cap_dac_read_search",
>>>>>>> "cap_fowner",
>>>>>>> "cap_fsetid",
>>>>>>> "cap_kill",
>>>>>>> "cap_setgid",
>>>>>>> "cap_setuid",
>>>>>>> "cap_setpcap",
>>>>>>> "cap_linux_immutable",
>>>>>>> "cap_net_bind_service",
>>>>>>> "cap_net_broadcast",
>>>>>>> "cap_net_admin",
>>>>>>> "cap_net_raw",
>>>>>>> "cap_ipc_lock",
>>>>>>> "cap_ipc_owner",
>>>>>>> "cap_sys_module",
>>>>>>> "cap_sys_rawio",
>>>>>>> "cap_sys_chroot",
>>>>>>> "cap_sys_ptrace",
>>>>>>> "cap_sys_pacct",
>>>>>>> "cap_sys_admin",
>>>>>>> "cap_sys_boot",
>>>>>>> "cap_sys_nice",
>>>>>>> "cap_sys_resource",
>>>>>>> "cap_sys_time",
>>>>>>> "cap_sys_tty_config",
>>>>>>> "cap_mknod",
>>>>>>> "cap_lease",
>>>>>>> "cap_audit_write",
>>>>>>> "cap_audit_control",
>>>>>>> "cap_setfcap",
>>>>>>> NULL,
>>>>>>> };
>>>>>>>
>>>>>>>
>>>>>>> PAM_EXTERN int
>>>>>>> pam_sm_open_session(pam_handle_t *pamh, int flags,
>>>>>>> int argc, const char **argv)
>>>>>>> {
>>>>>>> struct passwd *pwd;
>>>>>>> char *pos, *buf;
>>>>>>> char *username = NULL;
>>>>>>>
>>>>>>> /* open system logger */
>>>>>>> openlog("pam_cap_bset", LOG_PERROR | LOG_PID, LOG_AUTHPRIV);
>>>>>>>
>>>>>>> /* get the unix username */
>>>>>>> if (pam_get_item(pamh, PAM_USER, (void *) &username) !=
>>>>>>> PAM_SUCCESS || !username)
>>>>>>> return PAM_USER_UNKNOWN;
>>>>>>>
>>>>>>> /* get the passwd entry */
>>>>>>> pwd = getpwnam(username);
>>>>>>> if (!pwd)
>>>>>>> return PAM_USER_UNKNOWN;
>>>>>>>
>>>>>>> /* Is there "cap_drop=" ? */
>>>>>>> pos = strstr(pwd->pw_gecos, "cap_drop=");
>>>>>>> if (pos) {
>>>>>>> buf = strdup(pos + sizeof("cap_drop=") - 1);
>>>>>>> if (!buf)
>>>>>>> return PAM_SESSION_ERR;
>>>>>>> pos = strtok(buf, ",");
>>>>>>> while (pos) {
>>>>>>> int rc, i;
>>>>>>>
>>>>>>> for (i=0; captable[i]; i++) {
>>>>>>> if (!strcmp(pos, captable[i])) {
>>>>>>> rc = prctl(PR_CAPBSET_DROP, i);
>>>>>>> if (rc < 0) {
>>>>>>> syslog(LOG_NOTICE, "user %s could not drop
>>>>>>> %s (%s)",
>>>>>>> username, captable[i],
>>>>>>> strerror(errno));
>>>>>>> break;
>>>>>>> }
>>>>>>> syslog(LOG_NOTICE, "user %s drops %s\n",
>>>>>>> username, captable[i]);
>>>>>>> goto next;
>>>>>>> }
>>>>>>> }
>>>>>>> break;
>>>>>>> next:
>>>>>>> pos = strtok(NULL, ",");
>>>>>>> }
>>>>>>> free(buf);
>>>>>>> } else {
>>>>>>> syslog(LOG_NOTICE, "user %s does not have 'cap_drop='
>>>>>>> property", username);
>>>>>>> }
>>>>>>> return PAM_SUCCESS;
>>>>>>> }
>>>>>>>
>>>>>>> PAM_EXTERN int
>>>>>>> pam_sm_close_session(pam_handle_t *pamh, int flags,
>>>>>>> int argc, const char **argv)
>>>>>>> {
>>>>>>> /* do nothing */
>>>>>>> return PAM_SUCCESS;
>>>>>>> }
>>>>>>>
>>>>>>> ************************************************************
>>>>>>> -
>>>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>>>> linux-security-module" in
>>>>>>> the body of a message to [EMAIL PROTECTED]
>>>>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>>
- -
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHU6kj+bHCR3gb8jsRAurSAJ9wcNfrH4jLc+1A1UxGDrYrBsEe8QCgwsbD
fIlVTt6CFSzicJ+2foXorXA=
=/bvL
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
