Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932073AbXLAD7d (ORCPT ); Fri, 30 Nov 2007 22:59:33 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756266AbXLAD7N (ORCPT ); Fri, 30 Nov 2007 22:59:13 -0500 Received: from smtp120.sbc.mail.re3.yahoo.com ([66.196.96.93]:24085 "HELO smtp120.sbc.mail.re3.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1755698AbXLAD7M (ORCPT ); Fri, 30 Nov 2007 22:59:12 -0500 X-YMail-OSG: s0xMvXQVM1k1s6sAHQinC2GxSDIWSscgnWDFNgWNFbBOtF3f78QgEGmeTa1z9EXlK6dz5Yca3T0LU8wWfhHHGp8WT3AQnfOfdaQy53TBwuaQYI2d3voBE9vYFzENhkpJdt8o7B50ooMr8quvGwSgRmBCjw-- Date: Fri, 30 Nov 2007 21:58:24 -0600 From: serge@hallyn.com To: KaiGai Kohei Cc: "Serge E. Hallyn" , lkml , linux-security-module@vger.kernel.org, Andrew Morgan , Chris Wright , Stephen Smalley , James Morris , Andrew Morton Subject: Re: [PATCH] capabilities: introduce per-process capability bounding set (v10) Message-ID: <20071201035820.GA7730@vino.hallyn.com> References: <20071126200908.GA13287@sergelap.austin.ibm.com> <4750B6D5.7070607@kaigai.gr.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4750B6D5.7070607@kaigai.gr.jp> User-Agent: Mutt/1.5.16 (2007-06-09) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5819 Lines: 206 Quoting KaiGai Kohei (kaigai@kaigai.gr.jp): > Serge E. Hallyn wrote: > > The capability bounding set is a set beyond which capabilities > > cannot grow. Currently cap_bset is per-system. It can be > > manipulated through sysctl, but only init can add capabilities. > > Root can remove capabilities. By default it includes all caps > > except CAP_SETPCAP. > > Serge, > > This feature makes me being interested in. > I think you intend to apply this feature for the primary process > of security container. > However, it is also worthwhile to apply when a session is starting up. > > The following PAM module enables to drop capability bounding bit > specified by the fifth field in /etc/passwd entry. > This code is just an example now, but considerable feature. > > build and install: > # gcc -Wall -c pam_cap_drop.c > # gcc -Wall -shared -Xlinker -x -o pam_cap_drop.so pam_cap_drop.o -lpam > # cp pam_cap_drop.so /lib/security > > modify /etc/passwd as follows: > > tak:x:1004:100:cap_drop=cap_net_raw,cap_chown:/home/tak:/bin/bash > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > example: > [kaigai@masu ~]$ ping 192.168.1.1 > PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.23 ms > 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.02 ms > > --- 192.168.1.1 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > rtt min/avg/max/mdev = 1.023/1.130/1.237/0.107 ms > > [kaigai@masu ~]$ ssh tak@localhost > tak@localhost's password: > Last login: Sat Dec 1 10:09:29 2007 from masu.myhome.cx > [tak@masu ~]$ export LANG=C > [tak@masu ~]$ ping 192.168.1.1 > ping: icmp open socket: Operation not permitted > > [tak@masu ~]$ su > Password: > pam_cap_bset[6921]: user root does not have 'cap_drop=' property > [root@masu tak]# cat /proc/self/status | grep ^Cap > CapInh: 0000000000000000 > CapPrm: 00000000ffffdffe > CapEff: 00000000ffffdffe > [root@masu tak]# Neat. A bigger-stick version of not adding the account to group wheel. I'll use that. Is there any reason not to have a separate /etc/login.capbounds config file, though, so the account can still have a full name? Did you only use that for convenience of proof of concept, or is there another reason? > # BTW, I replaced the James's address in the Cc: list, > # because MTA does not accept it. Thanks! I don't know what happened to my alias for him... thanks, -serge > -- > KaiGai Kohei > > ************************************************************ > pam_cap_drop.c > ************************************************************ > > /* > * pam_cap_drop.c module -- drop capabilities bounding set > * > * Copyright: 2007 KaiGai Kohei > */ > > #include > #include > #include > #include > #include > #include > #include > #include > > #include > > #ifndef PR_CAPBSET_DROP > #define PR_CAPBSET_DROP 24 > #endif > > static char *captable[] = { > "cap_chown", > "cap_dac_override", > "cap_dac_read_search", > "cap_fowner", > "cap_fsetid", > "cap_kill", > "cap_setgid", > "cap_setuid", > "cap_setpcap", > "cap_linux_immutable", > "cap_net_bind_service", > "cap_net_broadcast", > "cap_net_admin", > "cap_net_raw", > "cap_ipc_lock", > "cap_ipc_owner", > "cap_sys_module", > "cap_sys_rawio", > "cap_sys_chroot", > "cap_sys_ptrace", > "cap_sys_pacct", > "cap_sys_admin", > "cap_sys_boot", > "cap_sys_nice", > "cap_sys_resource", > "cap_sys_time", > "cap_sys_tty_config", > "cap_mknod", > "cap_lease", > "cap_audit_write", > "cap_audit_control", > "cap_setfcap", > NULL, > }; > > > PAM_EXTERN int > pam_sm_open_session(pam_handle_t *pamh, int flags, > int argc, const char **argv) > { > struct passwd *pwd; > char *pos, *buf; > char *username = NULL; > > /* open system logger */ > openlog("pam_cap_bset", LOG_PERROR | LOG_PID, LOG_AUTHPRIV); > > /* get the unix username */ > if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || !username) > return PAM_USER_UNKNOWN; > > /* get the passwd entry */ > pwd = getpwnam(username); > if (!pwd) > return PAM_USER_UNKNOWN; > > /* Is there "cap_drop=" ? */ > pos = strstr(pwd->pw_gecos, "cap_drop="); > if (pos) { > buf = strdup(pos + sizeof("cap_drop=") - 1); > if (!buf) > return PAM_SESSION_ERR; > pos = strtok(buf, ","); > while (pos) { > int rc, i; > > for (i=0; captable[i]; i++) { > if (!strcmp(pos, captable[i])) { > rc = prctl(PR_CAPBSET_DROP, i); > if (rc < 0) { > syslog(LOG_NOTICE, "user %s could not drop %s (%s)", > username, captable[i], strerror(errno)); > break; > } > syslog(LOG_NOTICE, "user %s drops %s\n", username, captable[i]); > goto next; > } > } > break; > next: > pos = strtok(NULL, ","); > } > free(buf); > } else { > syslog(LOG_NOTICE, "user %s does not have 'cap_drop=' property", username); > } > return PAM_SUCCESS; > } > > PAM_EXTERN int > pam_sm_close_session(pam_handle_t *pamh, int flags, > int argc, const char **argv) > { > /* do nothing */ > return PAM_SUCCESS; > } > > ************************************************************ > - > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/