[rsbac] Missing CAPs are not logged
Amon Ott
ao at rsbac.org
Thu Jan 20 09:27:37 CET 2005
On Mittwoch 19 Januar 2005 23:25, Thomas Mueller wrote:
> yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to kernel
> 2.6.10 with RSBAC 1.2.3bf11.
>
> From that moment on exims queue runner didn't work anymore - a
> setgroups() call failed. I've only allowed capabilty
NET_BIND_SERVICE
> (00000000000000000010000000000).
> With NET_BIND_SERVICE and SET_GID everything works fine now.
There is no real difference.
> I have two questions:
> - why did exim work in the past? it never had CAP_SETGID so it
> seems as if RSBAC never checked the capabilities before,
> but there's nothing mentioned on the bugfix page
I cannot answer this, it should not have worked.
> - why aren't missing capabilities logged? there was a similar
> question before:
> http://www.rsbac.org/pipermail/rsbac/2002-April/000158.html
> exim worked in RSBAC softmode but not without softmode but
> I got no log message - it took me hours to find out what's
> wrong
This problem has hit more people before. I have added a paragraph to
the official CAP module description about what it does and why
missing caps cannot be logged:
On each setuid and execute, the CAP module sets the given minimum caps
and removes those not in the maximum set. The values changed are the
standard Linux capability values in the process task struct. This
means that the RSBAC CAP module (like PAX and RES) is only an
administration helper for existing Linux settings.
All capability based desicions are done by original kernel code, which
does not log anything. This is why you will never see a log message
for missing capabilities, access will just be denied.
In softmode, the CAP module only enforces the minimum, but not the
maximum values - this is the closest to the softmode idea it can get.
If you started a daemon with a reduced maximum capability set in
softmode, you should make sure to restart it after switching to
secure mode - it will have unwanted capabilities otherwise.
If something works in softmode, but not in secure mode, and you get no
log messages, you should always suspect missing CAP maximum values.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: nicht verf?gbar
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20050120/6bf4fad8/attachment.bin
More information about the rsbac
mailing list