From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Thu, 15 Jun 2006 02:12:31 +0400 From: "Dmitry V. Levin" To: ALT Devel discussion list Message-ID: <20060614221231.GD8552@basalt.office.altlinux.org> Mail-Followup-To: ALT Devel discussion list References: <20060613100648.GF25291@localhost.localdomain> <20060613121333.GA15408@basalt.office.altlinux.org> <20060613150418.GJ25291@localhost.localdomain> <20060613153011.GK25291@localhost.localdomain> <20060613192253.GN25291@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LTeJQqWS0MN7I/qa" Content-Disposition: inline In-Reply-To: <20060613192253.GN25291@localhost.localdomain> X-fingerprint: FE4C 93AB E19A 2E4C CB5D 3E4E 7CAB E6AC 9E35 361E Subject: Re: [devel] sucap + execcap = ... X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.7 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 22:12:32 -0000 Archived-At: List-Archive: List-Post: --LTeJQqWS0MN7I/qa Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 13, 2006 at 11:22:53PM +0400, Alexey Tourbin wrote: > On Tue, Jun 13, 2006 at 07:30:11PM +0400, Alexey Tourbin wrote: > > =F7 =CF=C2=DD=C5=CD =C5=D3=D4=D8 =D4=C9=D0=CF=D7=C1=D1 =DA=C1=C4=C1=DE= =C1: =D2=D5=D4 =C8=CF=DE=C5=D4 =DA=C1=D0=D5=D3=CB=C1=D4=D8 =D3=CB=D2=C9=D0= =D4=D9 > > =D3 =D0=CF=CE=C9=D6=C5=CE=CE=D9=CD=C9 =D0=D2=C9=D7=C9=CC=C5=C7=D1=CD=C9= (=CF=D4 =D0=D3=C5=D7=C4=CF=D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=D1), =CE=CF = =D3 =CE=C5=CB=CF=D4=CF=D2=D9=CD=C9 > > =D2=D5=D4=CF=D7=D9=CD=C9 capabilities. >=20 > > suexeccap -u $uid -g $gid -c $cap -- qa-robot -m root@localhost psec /l= ib /usr/lib >=20 > =EE=C1=D2=C9=D3=CF=D7=C1=CC =D4=CF, =DE=D4=CF =C8=CF=D4=C5=CC =CE=C1=D2= =C9=D3=CF=D7=C1=D4=D8. =F3=D4=D2=C1=CE=CE=CF=C5 =C4=C5=CC=CF -- =CE=C5 =D2= =C1=C2=CF=D4=C1=C5=D4! > =F1 =CB=C1=D6=C5=D4=D3=D1 =D0=CC=CF=C8=CF =D0=CF=CE=D1=CC, =CB=C1=CB =D0= =D2=C9 exec'=C5 =CE=C1=D3=CC=C5=C4=D5=C0=D4=D3=D1 capabilities. > =EB=D4=CF-=CE=C9=C2=D5=C4=D8 =CD=CF=D6=C5=D4 =CF=C2=DF=D1=D3=CE=C9=D4=D8? =F1 =CD=CF=C7=D5 =CF=C2=DF=D1=D3=CE=C9=D4=D8, =C8=CF=D4=D1 =D0=D2=CF=DD=C5 = RTFS. >=20 > if (setgroups(0, NULL) < 0) error(EXIT_FAILURE, 1, "setgroups"); > if (setregid(gid, gid) < 0) error(EXIT_FAILURE, 1, "setregid"); > if (prctl(PR_SET_KEEPCAPS, 1) < 0) error(EXIT_FAILURE, 1, "prctl"); PR_SET_KEEPCAPS =C9=D3=D0=CF=CC=D8=DA=D5=C5=D4=D3=D1 =C4=CC=D1 =D4=CF=C7=CF= , =DE=D4=CF=C2=D9 ... > if (cap_set_proc(suidcaps) < 0) error(EXIT_FAILURE, 1, "cap_set_proc"); > if (setreuid(uid, uid) < 0) error(EXIT_FAILURE, 1, "setreuid"); =2E.. =D0=CF=D3=CC=C5 setreuid capabilities =CE=C5 =C2=D9=CC=C9 =D7=D9=D3= =D4=C1=D7=CC=C5=CE=D9 =D3=CF=C7=CC=C1=D3=CE=CF *uid, =D3=CD. cap_emulate_setxuid(). > if (cap_set_proc(caps) < 0) error(EXIT_FAILURE, 1, "cap_set_proc"); >=20 > execvp(argv[optind], argv + optind); =F0=D2=C9 =D7=D9=D0=CF=CC=CE=C5=CE=C9=C9 exe=D3 =D7=D3=C5 capabilities =D7= =D9=D3=D4=C1=D7=CC=D1=C0=D4=D3=D1 =DA=C1=CE=CF=D7=CF =D3=CF=C7=CC=C1=D3=CE= =CF *uid, =D3=CD. cap_bprm_set_security(), =C9 =D2=C1=CE=D8=DB=C5 =CE=C1 =DC=D4=CF = =D0=CF=D7=CC=C9=D1=D4=D8 =C2=D9=CC=CF =CE=C5=CC=D8=DA=D1. =F0=D5=D3=D4=D8 =D1=C4=C5=D2=DD=C9=CB=C9 =CD=C5=CE=D1 =D0=CF=D0=D2=C1=D7=D1= =D4, =C5=D3=CC=C9 =D7 =DC=D4=CF=CA =D3=C6=C5=D2=C5 =DE=D4=CF-=D4=CF =C9=DA= =CD=C5=CE=C9=CC=CF=D3=D8. --=20 ldv --LTeJQqWS0MN7I/qa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEkInPfKvmrJ41Nh4RAii4AKC4IjqVfsWa5khLs0jctGybbHbo4ACgrRfE OQyHie2L9j7cyg53DXpxlg8= =0MgQ -----END PGP SIGNATURE----- --LTeJQqWS0MN7I/qa--