Posting via the gmane.org news gate does not seem to work, so I'm reposting manually.
While hacking on my srvtools (something similar to the vserver user space
tools, but with a different design), I made a frightening discovery:
[EMAIL PROTECTED]:/# reducecap --secure /bin/sh -c 'getpcaps $$' Executing Capabilities for `11054': =eip cap_setpcap-eip [EMAIL PROTECTED]:/# execcap = /bin/sh -c 'getpcaps $$' Capabilities for `11084': =ep cap_setpcap-ep [EMAIL PROTECTED]:/# cat /proc/sys/kernel/cap-bound 0 [EMAIL PROTECTED]:/# uname -r 2.4.21-hybrid-1
This is exactly the same as on a capability-disabled system (where I'd actually
expect that behaviour):
[EMAIL PROTECTED]:~# execcap = /bin/sh -c 'getpcaps $$' Capabilities for `29497': =ep cap_setpcap-ep [EMAIL PROTECTED]:~# cat /proc/sys/kernel/cap-bound -257
Actually one of my services ("virtual servers") is running with FULL root
privileges now:
[EMAIL PROTECTED]:/# getpcaps `vps auxww |grep '[ ]/bin/clockspeed'|tr -s ' '|cut -d ' ' -f 1`
Capabilities for `root': =eip cap_setpcap-eip
What the hell has happened to POSIX capability support in the latest 2.4 kernels?
PS: Yes, 'reducecap --show' does give the same output as 'getpcaps $$', only
in a much more verbose fashion.
CU/Lnx Sascha
-- Registered Linux User #77587 (http://counter.li.org/)
bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV
pgp00000.pgp
Description: PGP signature
