[rsbac] Re: Missing CAPs are not logged

Thomas Mueller news-exp-jul05 at tmueller.com
Tue Jan 25 12:35:45 CET 2005


Amon Ott wrote:

>>yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to kernel 
>>2.6.10 with RSBAC 1.2.3bf11.
>>
>> From that moment on exims queue runner didn't work anymore - a 
>>setgroups() call failed. I've only allowed capabilty 
>> NET_BIND_SERVICE (00000000000000000010000000000).
>>With NET_BIND_SERVICE and SET_GID everything works fine now.
> 
> There is no real difference.

You mean in the CAP module between bf7 and bf11 ?

>>I have two questions:
>>- why did exim work in the past? it never had CAP_SETGID so it
>>   seems as if RSBAC never checked the capabilities before,
>>   but there's nothing mentioned on the bugfix page
> 
> I cannot answer this, it should not have worked.

Strange. It worked since 1.2.3pre4.

>>- why aren't missing capabilities logged? there was a similar
>>   question before:
>>   http://www.rsbac.org/pipermail/rsbac/2002-April/000158.html
>>   exim worked in RSBAC softmode but not without softmode but
>>   I got no log message - it took me hours to find out what's
>>   wrong
> 
> This problem has hit more people before. I have added a paragraph to 
> the official CAP module description about what it does and why 
> missing caps cannot be logged:
[..]
> All capability based desicions are done by original kernel code, which 
> does not log anything. This is why you will never see a log message 
> for missing capabilities, access will just be denied.

Thanks for the explanation.

Is it hard to patch the kernel so that missing CAPs are logged by RSBAC? 
If the program that needs more CAPs doesn't output a useful error 
message it is very hard to find out what's missing.


Thomas



More information about the rsbac mailing list