Bug#439873: libcap-bin: sucap not useful on 2.6 kernels?

2007-08-28 Thread Steve Langasek 
Package: libcap-bin
Version: 1:1.10-14
Severity: important

Hi Michael,

I've been trying to evaluate the status of the POSIX capability patch that's
included in the Debian PAM package in relation to bug #153157, and I'm
having some serious doubts that the libcap-bin programs actually work:

$ su
Password: 
# /sbin/getpcaps $$
Capabilities for `13995': =ep cap_setpcap-ep
# sucap vorlon vorlon /bin/bash
Caps: =ep cap_setpcap-ep
Caps: =
[debug] uid:1000, real uid:1000
sucaps: capsetp: Operation not permitted
sucap: child did not exit cleanly.
#

Is this related to the fact that all of these processes seem to have an
empty set of inheritable capabilities?  Is it a general problem of
capabilities support in recent kernels?

From what I see, if I can't set an inheritable capability, capability
support in pam_limits isn't much use and should be dropped.

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#439873: libcap-bin: sucap not useful on 2.6 kernels?

2007-08-28 Thread Steve Langasek 
Here's a different attempt:

# execcap all+eip cap_setpcap-eip /bin/bash
# /sbin/getpcaps $$
Capabilities for `15044': =eip cap_setpcap-eip
# sucap vorlon vorlon /bin/bash
Caps: =eip cap_setpcap-eip
Caps: =i cap_setpcap-i
[debug] uid:1000, real uid:1000
sucaps: capsetp: Operation not permitted
sucap: child did not exit cleanly.
#

So as root I can manually spawn a shell that has the inheritable bits set,
but when running sucap, *only* the inheritable bits are copied, the
effective/permitted bits are not, so trying to set them in the child process
fails.  Looks broken to me?

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]