Hi!
While hacking on my srvtools (something similar to the vserver user space
tools, but with a different design), I made a frightening discovery:
[EMAIL PROTECTED]:/# reducecap --secure /bin/sh -c 'getpcaps $$'
Executing
Capabilities for `11054': =eip cap_setpcap-eip
[EMAIL PROTECTED]:/# execcap = /bin/sh -c 'getpcaps $$'
Capabilities for `11084': =ep cap_setpcap-ep
[EMAIL PROTECTED]:/# cat /proc/sys/kernel/cap-bound
0
[EMAIL PROTECTED]:/# uname -r
2.4.21-hybrid-1
This is exactly the same as on a capability-disabled system (where I'd
actually expect that behaviour):
[EMAIL PROTECTED]:~# execcap = /bin/sh -c 'getpcaps $$'
Capabilities for `29497': =ep cap_setpcap-ep
[EMAIL PROTECTED]:~# cat /proc/sys/kernel/cap-bound
-257
Actually one of my services ("virtual servers") is running with FULL root
privileges now:
[EMAIL PROTECTED]:/# getpcaps `vps auxww |grep '[ ]/bin/clockspeed'|tr -s ' '|cut -d '
' -f 1`
Capabilities for `root': =eip cap_setpcap-eip
What the hell has happened to POSIX capability support in the latest 2.4
kernels?
PS: Yes, 'reducecap --show' does give the same output as 'getpcaps $$', only
in a much more verbose fashion.
CU/Lnx Sascha
--
Registered Linux User #77587 (http://counter.li.org/)
bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike
sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
