[rsbac] Missing CAPs are not logged

Amon Ott ao at rsbac.org
Thu Jan 20 09:27:37 CET 2005


On Mittwoch 19 Januar 2005 23:25, Thomas Mueller wrote:
> yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to kernel 
> 2.6.10 with RSBAC 1.2.3bf11.
> 
>  From that moment on exims queue runner didn't work anymore - a 
> setgroups() call failed. I've only allowed capabilty 
NET_BIND_SERVICE 
> (00000000000000000010000000000).
> With NET_BIND_SERVICE and SET_GID everything works fine now.

There is no real difference.
 
> I have two questions:
> - why did exim work in the past? it never had CAP_SETGID so it
>    seems as if RSBAC never checked the capabilities before,
>    but there's nothing mentioned on the bugfix page

I cannot answer this, it should not have worked.

> - why aren't missing capabilities logged? there was a similar
>    question before:
>    http://www.rsbac.org/pipermail/rsbac/2002-April/000158.html
>    exim worked in RSBAC softmode but not without softmode but
>    I got no log message - it took me hours to find out what's
>    wrong

This problem has hit more people before. I have added a paragraph to 
the official CAP module description about what it does and why 
missing caps cannot be logged:

On each setuid and execute, the CAP module sets the given minimum caps 
and removes those not in the maximum set. The values changed are the 
standard Linux capability values in the process task struct. This 
means that the RSBAC CAP module (like PAX and RES) is only an 
administration helper for existing Linux settings.

All capability based desicions are done by original kernel code, which 
does not log anything. This is why you will never see a log message 
for missing capabilities, access will just be denied.

In softmode, the CAP module only enforces the minimum, but not the 
maximum values - this is the closest to the softmode idea it can get. 
If you started a daemon with a reduced maximum capability set in 
softmode, you should make sure to restart it after switching to 
secure mode - it will have unwanted capabilities otherwise.

If something works in softmode, but not in secure mode, and you get no 
log messages, you should always suspect missing CAP maximum values.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: nicht verf?gbar
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20050120/6bf4fad8/attachment.bin


More information about the rsbac mailing list