capabilities
Christos Ricudis
ricudis at paiko.gr
Wed Jun 2 01:30:06 EEST 1999
Hello All!
Kai oriste to paradeigma poy sas yposxe8hka. To programmataki ayto kanei drop
ola ta capabilities toy root, ektos apo to CAP_KILL (ta capabilities kai ta
descriptions toys 8a ta breite sto /usr/src/linux/include/linux/capability.h).
Trekste to programmataki me prwto argument to PID enos process poy den anhkei
ston root, kai me deytero argument to full pathname enos arxeioy me mode 0600
(poy den mporei kanonika na diabasei kapoios allos user ektos toy owner).
To CAP_KILL epitrepei se ena process na steilei kapoio signal se allo process
poy den anhkei sto idio PID. Wstoso, epeidh kaname drop ola ta ypoloipa
capabilities, kai metaksy aytwn kai to CAP_FOWNER, o root den mporei na
diabasei arxeio poy anhkei se allo xrhsth (pragma poy kanonika epitrepetai) :
nana:[root]~# ps -auxw | grep 141
warning: `-' deprecated; use `ps auxw', not `ps -auxw'
nobody 141 79.5 3.4 6072 4376 ? R 00:56 44:17 (squid)
nana:[root]~# ls -l /home/ricudis/dead.letter
-rw------- 1 ricudis users 467 May 31 22:13 /home/ricudis/dead.letter
nana:[root]~# ./testcap 141 /home/ricudis/dead.letter
Dropping all capabilities except for CAP_KILL, which we need...
Sending SIGHUP to pid 141
Trying to open /home/ricudis/dead.letter
open: Permission denied
nana:[root]~#
Ka8e process exei tria set apo capabilities : Inheritable, Permitted, kai
Effective. To effective set einai to energo sunolo apo capabilities poy exei
ena process. To permitted set einai to synolo twn capabilities poy epitrepetai
na kanei raise, kai to inherited (poy prepei na einai yposynolo toy permitted)
einai ta capabilities poy apokta ws permitted opoiodhpote executable ginei
exec() apo to current process. Se kapoio allo mynhma 8a ekshghsw tis
allhlepidraseis metaksy aytwn twn triwn sets.
(kai nai, kserw oti o kwdikas moy de blepetai).
,,,
(o o) File: captest.c
---*reiss*------*schnippel*------oOO--(_)--OOo-------*knabber*-----*fetz*---
#include <linux/capability.h>
#include <unistd.h>
#include <signal.h>
#define to_cap_t(x) (x)
#define cap_t(x) (x)
#define CAP_EMPTY_SET to_cap_t(0)
#define CAP_FULL_SET to_cap_t(~0)
#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
#define CAP_INIT_INH_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
#define CAP_TO_MASK(x) (1 << (x))
#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
int main (int argc,char *argv[]) {
cap_user_header_t capheader;
cap_user_data_t capdata;
int caps;
int i,j,pid;
if (argc<2) {
printf("Use : testcap <not root-owned PID> <non root-owned
file>\n");
exit(1);
}
pid=atoi(argv[1]);
capheader=malloc(sizeof(struct __user_cap_header_struct));
capdata=malloc(sizeof(struct __user_cap_data_struct));
capheader->version=_LINUX_CAPABILITY_VERSION;
capheader->pid=0;
printf("Dropping all capabilities except for the CAP_KILL we
need...\n");
capdata->effective=CAP_EMPTY_SET;
capdata->permitted=CAP_EMPTY_SET;
capdata->inheritable=CAP_EMPTY_SET;
cap_raise(capdata->effective,CAP_KILL);
capdata->permitted=capdata->effective;
capdata->inheritable=capdata->effective;
if (capset(capheader,capdata)<0) {
perror("capset");
exit(1);
}
printf("Sending SIGHUP to pid %d\n",pid);
if (kill(pid,SIGHUP)<0) {
perror("kill");
exit(1);
}
printf("Trying to open %s\n",argv[2]);
if (i=open(argv[2],0)<0) {
perror("open");
exit(1);
}
printf("open suceeded\n");
close(i);
return(0);
}
---*reiss*------*schnippel*--------------------------*knabber*-----*fetz*---
--
Christos Ricudis
I am a target. Please bomb me at N40 33.765' E22 55.130' Alt. 69ft
--
====================================================================
Gia boithia (h na diagrafhte) e-mail sto majordomo at hellug.gr
Ta archives tis listas einai sto http://lists.hellug.gr/archives
prin steilete kapoia erothsh psakte mipos exei hdh apanththei.
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users at hellug.gr
====================================================================
More information about the Linux-greek-users
mailing list