[syslog-ng] [Bug 42] capabilities, chown, chmod

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Wed Apr 29 17:39:19 CEST 2009 

https://bugzilla.balabit.com/show_bug.cgi?id=42


Balazs Scheidler <bazsi at balabit.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #2 from Balazs Scheidler <bazsi at balabit.hu>  2009-04-29 17:39:19 ---
(In reply to comment #0)
> Let's take a look at syslog-ng-3.0.1/src/affile.c lines 60-83
> 
> 1. CAP_SYS_ADMIN is needed only for /proc/kmsg, it is added w/o check
> 2. CAP_DAC_READ_SEARCH should be added only if open fail with errno 13
> 2a. CAP_DAC_OVERRIDE should be added only if open fail with errno 13 and with CAP_DAC_READ_SEARCH set

well, I wouldn't want to complicate enabling those capabilities too much. 
Currently those capabilities are only enabled for /proc/kmsg and nothing else.
(see the check for AFFILE_PRIVILEGED in affile_sd_new)

so the effects are already a quite limited, I wouldn't want to complicate matters by adding errno 13 checks.

> 3. fchown needs CAP_CHOWN unconditionaly
> 4. fchmod needs CAP_FOWNER if file owner != euid (root here)

I didn't know those. If these are needed for fchown/fchmod, do I need 
CAP_DAC_OVERRIDE at all? I was enabling DAC_OVERRIDE to be able to 
change owner/mode information, but as it seems that is not needed, right?

I've tested it and it does not seem to be needed, so I've removed DAC_OVERRIDE.

> 5. all caps should be restored

this was done:

  if (privileged)
    {
      g_process_cap_restore(saved_caps);
    }

however I've found one possible case when it wasn't disabled, thus I moved the 'save-caps' code a bit earlier.

> 
> summary:
> - CAP_SYS_ADMIN and CAP_DAC_OVERRIDE are set always even if unnecessary, and permanently

no, this is not true.

> - owner, group and perm doesn't work
> 

this should be fixed by this patch:

commit f96ae94df8abdc92402247682537404613db26b9
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Wed Apr 29 17:38:49 2009 +0200

    [affile] fixed capability management around file opens (fixes: pub#42)

    caps are always saved not just in case of "privileged" operation.
    instead of using DAC_OVERRIDE use CAP_CHOWN and CAP_FOWNER for
    changing file ownership.

    Reported-By: Zbigniew Krzystolik


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list