Re: [PATCH] capabilities: introduce per-process capabilitybounding set (v10)
From: serge
Date: Fri Nov 30 2007 - 22:59:39 EST
Quoting KaiGai Kohei (kaigai@xxxxxxxxxxxx):
> Serge E. Hallyn wrote:
> > The capability bounding set is a set beyond which capabilities
> > cannot grow. Currently cap_bset is per-system. It can be
> > manipulated through sysctl, but only init can add capabilities.
> > Root can remove capabilities. By default it includes all caps
> > except CAP_SETPCAP.
>
> Serge,
>
> This feature makes me being interested in.
> I think you intend to apply this feature for the primary process
> of security container.
> However, it is also worthwhile to apply when a session is starting up.
>
> The following PAM module enables to drop capability bounding bit
> specified by the fifth field in /etc/passwd entry.
> This code is just an example now, but considerable feature.
>
> build and install:
> # gcc -Wall -c pam_cap_drop.c
> # gcc -Wall -shared -Xlinker -x -o pam_cap_drop.so pam_cap_drop.o -lpam
> # cp pam_cap_drop.so /lib/security
>
> modify /etc/passwd as follows:
>
> tak:x:1004:100:cap_drop=cap_net_raw,cap_chown:/home/tak:/bin/bash
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> example:
> [kaigai@masu ~]$ ping 192.168.1.1
> PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
> 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.23 ms
> 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1.02 ms
>
> --- 192.168.1.1 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 1.023/1.130/1.237/0.107 ms
>
> [kaigai@masu ~]$ ssh tak@localhost
> tak@localhost's password:
> Last login: Sat Dec 1 10:09:29 2007 from masu.myhome.cx
> [tak@masu ~]$ export LANG=C
> [tak@masu ~]$ ping 192.168.1.1
> ping: icmp open socket: Operation not permitted
>
> [tak@masu ~]$ su
> Password:
> pam_cap_bset[6921]: user root does not have 'cap_drop=' property
> [root@masu tak]# cat /proc/self/status | grep ^Cap
> CapInh: 0000000000000000
> CapPrm: 00000000ffffdffe
> CapEff: 00000000ffffdffe
> [root@masu tak]#
Neat. A bigger-stick version of not adding the account to
group wheel. I'll use that.
Is there any reason not to have a separate /etc/login.capbounds
config file, though, so the account can still have a full name?
Did you only use that for convenience of proof of concept, or
is there another reason?
> # BTW, I replaced the James's address in the Cc: list,
> # because MTA does not accept it.
Thanks! I don't know what happened to my alias for him...
thanks,
-serge
> --
> KaiGai Kohei <kaigai@xxxxxxxxxxxx>
>
> ************************************************************
> pam_cap_drop.c
> ************************************************************
>
> /*
> * pam_cap_drop.c module -- drop capabilities bounding set
> *
> * Copyright: 2007 KaiGai Kohei <kaigai@xxxxxxxxxxxx>
> */
>
> #include <errno.h>
> #include <pwd.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <syslog.h>
> #include <sys/prctl.h>
> #include <sys/types.h>
>
> #include <security/pam_modules.h>
>
> #ifndef PR_CAPBSET_DROP
> #define PR_CAPBSET_DROP 24
> #endif
>
> static char *captable[] = {
> "cap_chown",
> "cap_dac_override",
> "cap_dac_read_search",
> "cap_fowner",
> "cap_fsetid",
> "cap_kill",
> "cap_setgid",
> "cap_setuid",
> "cap_setpcap",
> "cap_linux_immutable",
> "cap_net_bind_service",
> "cap_net_broadcast",
> "cap_net_admin",
> "cap_net_raw",
> "cap_ipc_lock",
> "cap_ipc_owner",
> "cap_sys_module",
> "cap_sys_rawio",
> "cap_sys_chroot",
> "cap_sys_ptrace",
> "cap_sys_pacct",
> "cap_sys_admin",
> "cap_sys_boot",
> "cap_sys_nice",
> "cap_sys_resource",
> "cap_sys_time",
> "cap_sys_tty_config",
> "cap_mknod",
> "cap_lease",
> "cap_audit_write",
> "cap_audit_control",
> "cap_setfcap",
> NULL,
> };
>
>
> PAM_EXTERN int
> pam_sm_open_session(pam_handle_t *pamh, int flags,
> int argc, const char **argv)
> {
> struct passwd *pwd;
> char *pos, *buf;
> char *username = NULL;
>
> /* open system logger */
> openlog("pam_cap_bset", LOG_PERROR | LOG_PID, LOG_AUTHPRIV);
>
> /* get the unix username */
> if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || !username)
> return PAM_USER_UNKNOWN;
>
> /* get the passwd entry */
> pwd = getpwnam(username);
> if (!pwd)
> return PAM_USER_UNKNOWN;
>
> /* Is there "cap_drop=" ? */
> pos = strstr(pwd->pw_gecos, "cap_drop=");
> if (pos) {
> buf = strdup(pos + sizeof("cap_drop=") - 1);
> if (!buf)
> return PAM_SESSION_ERR;
> pos = strtok(buf, ",");
> while (pos) {
> int rc, i;
>
> for (i=0; captable[i]; i++) {
> if (!strcmp(pos, captable[i])) {
> rc = prctl(PR_CAPBSET_DROP, i);
> if (rc < 0) {
> syslog(LOG_NOTICE, "user %s could not drop %s (%s)",
> username, captable[i], strerror(errno));
> break;
> }
> syslog(LOG_NOTICE, "user %s drops %s\n", username, captable[i]);
> goto next;
> }
> }
> break;
> next:
> pos = strtok(NULL, ",");
> }
> free(buf);
> } else {
> syslog(LOG_NOTICE, "user %s does not have 'cap_drop=' property", username);
> }
> return PAM_SUCCESS;
> }
>
> PAM_EXTERN int
> pam_sm_close_session(pam_handle_t *pamh, int flags,
> int argc, const char **argv)
> {
> /* do nothing */
> return PAM_SUCCESS;
> }
>
> ************************************************************
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/