Compiling the program which uses a lot "sysctl" syscalls, gives me this
warning on Debian unstable:
"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
direct access to `/proc/sys' should be used instead."
Is it true? And what can be used as alternative which would work with both
2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
Accessing `/proc/sys' directly isn't such alternative as it doesn't work
with capabilities.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
On Nov 16 2006 00:03, Hasso Tepper wrote:
>
>Compiling the program which uses a lot "sysctl" syscalls, gives me this
>warning on Debian unstable:
>
>"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
>direct access to `/proc/sys' should be used instead."
>
>Is it true?
Well it was unobsoleted in 2.6.19 if I followed the list correctly.
>And what can be used as alternative which would work with both
>2.4 and 2.6 kernels
>and would work with capabilities (sys/capability.h)?
>Accessing `/proc/sys' directly isn't such alternative as it doesn't work
>with capabilities.
-`J'
--
Hasso Tepper <[email protected]> writes:
> 2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
> Accessing `/proc/sys' directly isn't such alternative as it doesn't work
> with capabilities.
What do you mean with "/proc/sys doesn't work with capabilities"?
-Andi
Andi Kleen wrote:
> Hasso Tepper <[email protected]> writes:
> > 2.4 and 2.6 kernels and would work with capabilities
> > (sys/capability.h)? Accessing `/proc/sys' directly isn't such
> > alternative as it doesn't work with capabilities.
>
> What do you mean with "/proc/sys doesn't work with capabilities"?
I have process which drops root privileges after startup and retains only
some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN capabilities.
I can change values in /proc/sys/net/ipv[46]/* (like turning forwarding
on/off) from this process using sysctl syscall, but I can't write
directly into /proc/sys/net/ipv[46]/* from it.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
On Friday 17 November 2006 09:07, Hasso Tepper wrote:
> I have process which drops root privileges after startup and retains only
> some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN capabilities.
> I can change values in /proc/sys/net/ipv[46]/* (like turning forwarding
> on/off) from this process using sysctl syscall, but I can't write
> directly into /proc/sys/net/ipv[46]/* from it.
That sounds more like a security bug than a feature to be preserved.
-Andi
Andi Kleen wrote:
> On Friday 17 November 2006 09:07, Hasso Tepper wrote:
> > I have process which drops root privileges after startup and retains
> > only some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN
> > capabilities. I can change values in /proc/sys/net/ipv[46]/* (like
> > turning forwarding on/off) from this process using sysctl syscall,
> > but I can't write directly into /proc/sys/net/ipv[46]/* from it.
>
> That sounds more like a security bug than a feature to be preserved.
Why? IMHO it's normal that process with CAP_NET_ADMIN capabilities can
modify settings in /proc/sys/net/. From /usr/include/sys/capability.h:
/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
sockets */
/* Allow binding to any address for transparent proxying */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */
#define CAP_NET_ADMIN 12
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator