[rsbac] Missing CAPs are not logged
Thomas Mueller
news-exp-jul05 at tmueller.com
Wed Jan 19 23:25:14 CET 2005
Hi,
yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to kernel
2.6.10 with RSBAC 1.2.3bf11.
From that moment on exims queue runner didn't work anymore - a
setgroups() call failed. I've only allowed capabilty NET_BIND_SERVICE
(00000000000000000010000000000).
With NET_BIND_SERVICE and SET_GID everything works fine now.
I have two questions:
- why did exim work in the past? it never had CAP_SETGID so it
seems as if RSBAC never checked the capabilities before,
but there's nothing mentioned on the bugfix page
- why aren't missing capabilities logged? there was a similar
question before:
http://www.rsbac.org/pipermail/rsbac/2002-April/000158.html
exim worked in RSBAC softmode but not without softmode but
I got no log message - it took me hours to find out what's
wrong
Thanks!
Thomas
More information about the rsbac
mailing list