Re: [PATCH] sysctl: allow override of /proc/sys/net with CAP_NET_ADMIN

[Eric W. Biederman]

Stephen Hemminger <shemminger@xxxxxxxxxx> writes:

> Extend the permission check for networking sysctl's to allow
> modification when current process has CAP_NET_ADMIN capability and
> is not root. This version uses the until now unused permissions hook
> to override the mode value for /proc/sys/net if accessed by a user
> with capabilities.

Looks reasonable but a little incomplete.

Could you modify register_net_sysctl_table to set this attribute?
Or alternatively all of the tables registered with register_net_sysctl.

Otherwise I this will not affect all of the sysctls under
/proc/sys/net.  Which appears to be your intent.

> Found while working with Quagga. It is impossible to turn forwarding
> on/off through the command interface because Quagga uses secure coding
> practice of dropping privledges during initialization and only raising
> via capabilities when necessary. Since the dameon has reset real/effective
> uid after initialization, all attempts to access /proc/sys/net variables
> will fail. 

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/