[rsbac] Re: Missing CAPs are not logged
Amon Ott
ao at rsbac.org
Tue Jan 25 12:55:29 CET 2005
On Dienstag 25 Januar 2005 12:35, Thomas Mueller wrote:
> Amon Ott wrote:
> >>yesterday I upgraded from kernel 2.6.9 with RSBAC 1.2.3bf7 to
kernel
> >>2.6.10 with RSBAC 1.2.3bf11.
> >>
> >> From that moment on exims queue runner didn't work anymore - a
> >>setgroups() call failed. I've only allowed capabilty
> >> NET_BIND_SERVICE (00000000000000000010000000000).
> >>With NET_BIND_SERVICE and SET_GID everything works fine now.
> >
> > There is no real difference.
>
> You mean in the CAP module between bf7 and bf11 ?
Yes.
> Is it hard to patch the kernel so that missing CAPs are logged by
RSBAC?
> If the program that needs more CAPs doesn't output a useful error
> message it is very hard to find out what's missing.
It is either simple (change the capable() function), but produces tons
of output and is thus useless, or it requires patches to all
functions that check capabilities, what is a real lot of work and
almost impossible to maintain.
We can give the first option a try, though.
But, again: The normal reason why a program only works in softmode,
but does not produce RSBAC logging, are missing CAPs in the max_caps
value.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list