On Saturday 06 July 2002 14:07, Kevin Easton wrote:
(snip)
> #define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
>
> ie, the cap_effective mask of the current task structure is checked against
> the requested capability. The capability checking code is all good to go -
> it only requires a creative way of selectively setting cap_effective to
> work. I think rather than a proliferation of filesystem "setcap" bits for
> executables, it's likely that a program would remain setuid root, but drop
> all unneeded capabilities as it's first task when run (ie, ping would drop
> all capabilities except CAP_NET_RAW).
>
> - Kevin.
I looked exactly into that some time ago. I coded a lkm that uses
capabilites, but with a few more checks, so one can do something like what
we've been discussing in this thread, that is, allowing "normal" users to
bind to a specific port < 1024. Since the linux capabilities implementation
only allows binding to *any* port < 1024, I had to make a few more checks,
namely checking the port requested to bind to, and only raising
CAP_NET_BIND_SERVICE if the port matches a defined ACL, otherwise it is
denied.
I won't go into much more detail here, so if anyone is interested i've put up
the code on http://genhex.org/gksm.tgz. Read the "README" file included for
more insight. Keep in mind that this is just example code, it lacks a lot of
things (and it may even break your kernel), it was just coded to test if it
could be done.
I'm rewriting all of it, and putting a few more features in, and will release
that code in the future.
regards,
Bruno Morisson <morisson_at_genhex.org>
Received on Jul 07 2002
Intro
