[rsbac] Missing CAPs are not logged

Thomas Mueller news-exp-jul05 at tmueller.com
Wed Jan 19 23:25:14 CET 2005


Hi,

yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to kernel 
2.6.10 with RSBAC 1.2.3bf11.

 From that moment on exims queue runner didn't work anymore - a 
setgroups() call failed. I've only allowed capabilty NET_BIND_SERVICE 
(00000000000000000010000000000).
With NET_BIND_SERVICE and SET_GID everything works fine now.

I have two questions:
- why did exim work in the past? it never had CAP_SETGID so it
   seems as if RSBAC never checked the capabilities before,
   but there's nothing mentioned on the bugfix page
- why aren't missing capabilities logged? there was a similar
   question before:
   http://www.rsbac.org/pipermail/rsbac/2002-April/000158.html
   exim worked in RSBAC softmode but not without softmode but
   I got no log message - it took me hours to find out what's
   wrong

Thanks!

Thomas



More information about the rsbac mailing list