Hi!
I was investigating problems with PCMCIA and found that
capable(CAP_SYS_ADMIN) returns always false in my case. If I'm calling
capable(CAP_SYS_ADMIN) as root - shouldn't it return true? What could
cause this? I'm using RH 8.0 and src-rpm of 2.4.18-14 kernel.
--
* Tony Glader
On Wed, 9 Oct 2002, Chris Wright wrote:
> > I was investigating problems with PCMCIA and found that
> > capable(CAP_SYS_ADMIN) returns always false in my case. If I'm calling
> Typically root has all effective capabilities (except CAP_SETPCAP).
> You can check your effective capabilities in /proc/[pid]/status.
In this case capable() call has been made from a kernel module. I think a
module doesn't have a PID? Should I check capabilites of program that does
a ioctl() call that will cause module to do capable() checking?
Process that does ioctl() call is owned by root and has following
capabilities:
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
I think there are at least CAP_SYS_ADMIN capability.
--
* Tony Glader
* Tony Glader ([email protected]) wrote:
> Hi!
>
> I was investigating problems with PCMCIA and found that
> capable(CAP_SYS_ADMIN) returns always false in my case. If I'm calling
> capable(CAP_SYS_ADMIN) as root - shouldn't it return true? What could
> cause this? I'm using RH 8.0 and src-rpm of 2.4.18-14 kernel.
Well, it will return true if you _have_ CAP_SYS_ADMIN capability.
Typically root has all effective capabilities (except CAP_SETPCAP).
You can check your effective capabilities in /proc/[pid]/status.
I doubt your system can't get a process with CAP_SYS_ADMIN, you'd have
trouble mounting filesystems, etc...
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
On Wed, 9 Oct 2002, Chris Wright wrote:
> > In this case capable() call has been made from a kernel module. I think a
> The userspace task that called the ioctl() is the one to look at.
...
> > CapInh: 0000000000000000
> > CapPrm: 00000000fffffeff
> > CapEff: 00000000fffffeff
>
> Ok, I don't think the capable() check is failing.
So though me too, but now we are getting to the point - capable() check
fails! How that can be possible?
--
* Tony Glader
* Tony Glader ([email protected]) wrote:
> On Wed, 9 Oct 2002, Chris Wright wrote:
>
> > > In this case capable() call has been made from a kernel module. I think a
> > The userspace task that called the ioctl() is the one to look at.
>
> ...
>
> > > CapInh: 0000000000000000
> > > CapPrm: 00000000fffffeff
> > > CapEff: 00000000fffffeff
> >
> > Ok, I don't think the capable() check is failing.
>
> So though me too, but now we are getting to the point - capable() check
> fails! How that can be possible?
You could dump something like this before the capable() call:
printk(KERN_DEBUG "%s:(%d) eff: 0x%x\n", current->comm, current->pid,
cap_t(current->cap_effective));
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
* Tony Glader ([email protected]) wrote:
> On Wed, 9 Oct 2002, Chris Wright wrote:
>
> > > I was investigating problems with PCMCIA and found that
> > > capable(CAP_SYS_ADMIN) returns always false in my case. If I'm calling
> > Typically root has all effective capabilities (except CAP_SETPCAP).
> > You can check your effective capabilities in /proc/[pid]/status.
>
> In this case capable() call has been made from a kernel module. I think a
> module doesn't have a PID? Should I check capabilites of program that does
> a ioctl() call that will cause module to do capable() checking?
The userspace task that called the ioctl() is the one to look at.
> Process that does ioctl() call is owned by root and has following
> capabilities:
>
> CapInh: 0000000000000000
> CapPrm: 00000000fffffeff
> CapEff: 00000000fffffeff
Ok, I don't think the capable() check is failing.
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
On Wed, 9 Oct 2002, Chris Wright wrote:
> You could dump something like this before the capable() call:
>
> printk(KERN_DEBUG "%s:(%d) eff: 0x%x\n", current->comm, current->pid,
> cap_t(current->cap_effective));
Ok. I got following result:
??:(12290) eff: 0x0
Is the eff-value current capabilities? Why it is zero? The task who called
it (cardmgr) was owned by root.
--
* Tony Glader