From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Tue, 13 Jun 2006 23:22:53 +0400 From: Alexey Tourbin To: ALT Devel discussion list Message-ID: <20060613192253.GN25291@localhost.localdomain> Mail-Followup-To: ALT Devel discussion list References: <20060613100648.GF25291@localhost.localdomain> <20060613121333.GA15408@basalt.office.altlinux.org> <20060613150418.GJ25291@localhost.localdomain> <20060613153011.GK25291@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gh4H09KImyIEQ1se" Content-Disposition: inline In-Reply-To: <20060613153011.GK25291@localhost.localdomain> Subject: Re: [devel] sucap + execcap = ... X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.7 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 19:22:16 -0000 Archived-At: List-Archive: List-Post: --gh4H09KImyIEQ1se Content-Type: multipart/mixed; boundary="YuJye9aIuN0w6xGV" Content-Disposition: inline --YuJye9aIuN0w6xGV Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 13, 2006 at 07:30:11PM +0400, Alexey Tourbin wrote: > =F7 =CF=C2=DD=C5=CD =C5=D3=D4=D8 =D4=C9=D0=CF=D7=C1=D1 =DA=C1=C4=C1=DE=C1= : =D2=D5=D4 =C8=CF=DE=C5=D4 =DA=C1=D0=D5=D3=CB=C1=D4=D8 =D3=CB=D2=C9=D0=D4= =D9 > =D3 =D0=CF=CE=C9=D6=C5=CE=CE=D9=CD=C9 =D0=D2=C9=D7=C9=CC=C5=C7=D1=CD=C9 (= =CF=D4 =D0=D3=C5=D7=C4=CF=D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=D1), =CE=CF =D3 = =CE=C5=CB=CF=D4=CF=D2=D9=CD=C9 > =D2=D5=D4=CF=D7=D9=CD=C9 capabilities. > suexeccap -u $uid -g $gid -c $cap -- qa-robot -m root@localhost psec /lib= /usr/lib =EE=C1=D2=C9=D3=CF=D7=C1=CC =D4=CF, =DE=D4=CF =C8=CF=D4=C5=CC =CE=C1=D2=C9= =D3=CF=D7=C1=D4=D8. =F3=D4=D2=C1=CE=CE=CF=C5 =C4=C5=CC=CF -- =CE=C5 =D2=C1= =C2=CF=D4=C1=C5=D4! =F1 =CB=C1=D6=C5=D4=D3=D1 =D0=CC=CF=C8=CF =D0=CF=CE=D1=CC, =CB=C1=CB =D0=D2= =C9 exec'=C5 =CE=C1=D3=CC=C5=C4=D5=C0=D4=D3=D1 capabilities. =EB=D4=CF-=CE=C9=C2=D5=C4=D8 =CD=CF=D6=C5=D4 =CF=C2=DF=D1=D3=CE=C9=D4=D8? $ gcc -Wall suexeccap.c -o suexeccap -lcap $ gcc -Wall test_cap.c -o test_cap -lcap =20 $ sudo ./suexeccap -u nobody -g nobody -c cap_dac_read_search=3Deip ./test_= cap =3D cap_dac_read_search+i $ =F4=CF =C5=D3=D4=D8 =D1 =D0=D2=CF=DB=D5 =D5 =CE=C5=C7=CF "eip", =C1 =D0=CF= =D3=CC=C5 exec'=C1 =CF=D3=D4=C1=C5=D4=D3=D1 =D4=CF=CC=D8=CB=CF "i". =E5=D3= =CC=C9 =D1 =D0=D2=C1=D7=C9=CC=D8=CE=CF =D0=CF=CE=C9=CD=C1=C0, =D4=CF =C9=CD=C5=CE= =CE=CF =C9=DA-=DA=C1 =DC=D4=CF=C7=CF =CE=C5 =D2=C1=C2=CF=D4=C1=C5=D4 =D0=CF= =D7=D9=DB=C5=CE=C9=C5 =D0=D2=C1=D7 =CE=C1 =C6=C1=CA=CC=CF=D7=D5=C0 =D3=C9=D3=D4=C5=CD=D5: $ sudo ./suexeccap -u nobody -g nobody -c cap_dac_read_search=3Deip find /l= ib |head =20 find: /lib/modules: Permission denied find: /lib: Permission denied /lib /lib/i686 /lib/i686/tls /lib/modules /lib/tls /lib/ld-linux.so.2 /lib/libnss1_dns.so.1 /lib/terminfo /lib/terminfo/E /lib/terminfo/E/Eterm $ sudo ./suexeccap -u nobody -g nobody -c cap_dac_read_search=3Deip id = =20 uid=3D99(nobody) gid=3D99(nobody) $ =E9 =D3=D2=C1=DA=D5 =D7=CF=D0=D2=CF=D3 =D2=C5=C2=D2=CF=CD: =D4=C9=D0=CF=D7= =C1=D1 =DA=C1=C4=C1=DE=C1, =CF=D0=C9=D3=C1=CE=CE=C1=D1 =D7 =CE=C1=DE=C1=CC= =C5 =DC=D4=CF=C7=CF =D0=C9=D3=D8=CD=C1, =CD=CF=D6=C5=D4 =C2=D9=D4=D8 =D2=C5=DB=C5=CE=C1 =D7 =D0=D2=C9=CE=C3=C9=D0= =C5? --YuJye9aIuN0w6xGV Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="suexeccap.c" Content-Transfer-Encoding: quoted-printable #include #include #include #include #include #include #include #include #include #include int main(int argc, char *argv[]) { char *user =3D NULL, *group =3D NULL, *capstr =3D NULL; int c; while ((c =3D getopt(argc, argv, "+u:g:c:")) >=3D 0) switch (c) { case 'u': user =3D optarg; break; case 'g': group =3D optarg; break; case 'c': capstr =3D optarg; break; default: return 1; } =09 if (!(user && *user)) error(EXIT_FAILURE, 0, "user not specified"); if (!(group && *group)) error(EXIT_FAILURE, 0, "group not specified"); if (!(capstr && *capstr)) error(EXIT_FAILURE, 0, "capabilities not specifi= ed"); if (optind >=3D argc) error(EXIT_FAILURE, 0, "command not specified"); struct passwd *pw =3D getpwnam(user); if (!pw) error(EXIT_FAILURE, 0, "getpwnam: user \"%s\" unknown", user); uid_t uid =3D pw->pw_uid; struct group *gr =3D getgrnam(group); if (!gr) error(EXIT_FAILURE, 0, "getgrnam: group \"%s\" unknown", group); gid_t gid =3D gr->gr_gid; cap_t caps =3D cap_from_text(capstr); if (!caps) error(EXIT_FAILURE, 1, "cap_from_text: \"%s\"", capstr); =09 char suidcapstr[strlen(capstr) + sizeof "cap_setuid,"]; strcpy(suidcapstr, "cap_setuid,"); strcat(suidcapstr, capstr); cap_t suidcaps =3D cap_from_text(suidcapstr); if (!suidcaps) error(EXIT_FAILURE, 1, "cap_from_text: \"%s\"", suidcapstr); if (setgroups(0, NULL) < 0) error(EXIT_FAILURE, 1, "setgroups"); if (setregid(gid, gid) < 0) error(EXIT_FAILURE, 1, "setregid"); if (prctl(PR_SET_KEEPCAPS, 1) < 0) error(EXIT_FAILURE, 1, "prctl"); if (cap_set_proc(suidcaps) < 0) error(EXIT_FAILURE, 1, "cap_set_proc"); if (setreuid(uid, uid) < 0) error(EXIT_FAILURE, 1, "setreuid"); if (cap_set_proc(caps) < 0) error(EXIT_FAILURE, 1, "cap_set_proc"); execvp(argv[optind], argv + optind); error(EXIT_FAILURE, 1, "execvp: %s", argv[optind]); return EXIT_FAILURE; } --YuJye9aIuN0w6xGV Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="test_cap.c" #include #include int main() { cap_t caps = cap_get_proc(); printf("%s\n", cap_to_text(caps, NULL)); return 0; } --YuJye9aIuN0w6xGV-- --gh4H09KImyIEQ1se Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjxCNfBKgtDjnu0YRAgAFAKDUCYTvKjKhdQgMmNLPwWcP31Z0EwCggNMc I9cSoYL0FJMDn3Zt9jU3aZY= =dtX+ -----END PGP SIGNATURE----- --gh4H09KImyIEQ1se--