Date: Thu, 20 Jan 2005 11:02:26 -0700 (MST)
From: jnf <jnf@innocence-lost.us>
To: linux-kernel@vger.kernel.org
Subject: linux capabilities ?
Message-ID: <Pine.LNX.4.61.0501201053070.24484@fhozvffvba.vaabprapr-ybfg.arg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1569
Lines: 47

Hi.

I have been playing a little here and there with linux capabilities, and
seem to be hitting a few snags so I was hoping to obtain some input on
their current status. The kernel on the box in question is 2.6.10, with
the CAP_INIT_EFF_SET macro modified to allow init to have CAP_SETPCAP.

I am mostly trying to accomplish this so that I can run syslog as a
non-root user and as I understand it by digging through the source, one
should be able to accomplish this with the CAP_SYS_ADMIN capability-
however this does not appear to be true ?

in kernel/printk.c I see

error = security_syslog(type)
if (error)
        return error ;

which is defined in something like include/linux/security.h as a pointer
to cap_syslog(), which in turn is defined in security/commoncap.c where I
see:

if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
         return -EPERM
return 0;


Type 3 is:
*      3 -- Read up to the last 4k of messages in the ring buffer.

So when I give the process CAP_SYS_ADMIN I still cannot seem to read from
/proc/kmsg, I also tried giving it CAP_DAC_OVERRIDE just to test to see if
DAC's were the problem but that didn't seem to help any.

So with that said, anyone have any idea's as to what I need to do and any
details on the current state of the capabilities would be helpful.

Thanks,

jnf


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/