[rsbac] min_caps and scripts
Javier J. Martínez Cabezón
tazok.id0 at gmail.com
Sun Feb 15 16:16:23 CET 2009
Hi folks, I suppose that capabilities assigned to shell scripts are
ignored, and it happens too with min_caps.
The problem is that I have removed all maximum capabilities to root,
and assigned min_caps to the required binaries (as agetty, login
etc.), the problem comes with a gentoo bash script /sbin/rc that
between others, makes a touch to /var/log/wtmp which is owned by my
user audit, the same happened with the file /var/run/syslog-ng.pid
which is owned by the same user. The problem is that root has not
CAP_DAC_OVERRIDE at all, since /sbin/rc is a shell script min_caps are
not honored (so doesn't work at all).
I protected /sbin/rc against unwanted read/execution/write assigning
it to a special RC type, only accesed by roles 999999 and secoff one,
so min_caps shouldn't be a security hole in this case.
I don't think that granting this capabilities to /bin/mv and
/bin/touch between others used in this script should be a proper
solution, and make another copy of this binaries to assign it other
binary type sounds too tricky since it needs script modification to
Do you know any way to make this caps working in a shell-script? Any suggestion?
More information about the rsbac