2000-11-15 23:54:36

by Vesselin Atanasov

[permalink] [raw]
Subject: A question about capabilities. fI and fE

I read the Linux Capabilities FAQ 2.0 and looked at the source in
/usr/src/linux/fs/exec.c. In function prepare_binprm() I see that fE is
always cleared and set only if EUID == 0 and fI is always cleared
and set only if UID == 0 or EUID == 0. Is there a reason for this
behaviour? I think that the default value for fE should always be ~0,
because every program should be assumed to be capability dumb and fI by
default should be ~0 because every capability dump program must be able to
run with all capabilities it inherits from user that exec's it.

The reason for this question is that I want to run apache in a chrooted
environment. I want to run it as some user != root, so he cannot break out
of chroot jail, but I must give apache CAP_NET_BIND_SERVICE. I have
written a simple wrapper that optionally chroots, optinally sets its
privileges, optionally sets its UID and GID and then executes a specified
program, but the privileges that I set cannot survive the execve() call
because of the default fE = 0 and fI = 0.

So I want to know if I modify my kernel and make fE = 0~ and fI = ~0 by
default, will this damage the security of my system?