Re: 2.6.25 Kernel - Problems with capabilities

From: David
Date: Sun Apr 20 2008 - 10:10:30 EST

Next message: Stefan Richter: "Re: [GIT PATCH] SCSI updates for 2.6.25"
Previous message: Woodruff, Richard: "RE: Higer latency with dynamic tick (need for an io-ondemand govenor?)"
In reply to: David: "2.6.25 Kernel - Problems with capabilities"
Next in thread: Casey Schaufler: "Re: 2.6.25 Kernel - Problems with capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Galbraith wrote:

On Sat, 2008-04-19 at 19:43 +0100, David wrote:

I'm wondering if anyone might be able to help with a capability problem I've noticed with .25 My ntp daemon will no longer run as any non-root user, and after some investigation it seems that calls to prctl() are failing.

CONFIG_SECURITY_CAPABILITIES=y , so this should work?

System is 32 bit x86 based on a venerable SuSE 9.1 distro.

Full .config is attached.

Thanks
David

FWIW, ntpd runs just fine here as user ntp on both my P4 and Q6600 boxen
with opensuse 10.3.

marge:..tmp/linux-2.6.25 # grep SECUR .config
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4DEV_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_FILE_CAPABILITIES=y
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
# CONFIG_SECURITY_SELINUX is not set
marge:..tmp/linux-2.6.25 # grep SECUR /xx
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
# CONFIG_XFS_SECURITY is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0

I notice I have CONFIG_SECURITY_FILE_CAPABILITIES set, and you don't. I
have not even the foggiest clue whether that has anything to do with the
price of tea in china though :)

I've just set

CONFIG_SECURITY_FILE_CAPABILITIES=y
CONFIG_SECURITY_NETWORK_XFRM=y

to no avail.. I still get

20 Apr 15:04:20 ntpd[15694]: cap_set_proc() failed to drop root privileges: Invalid argument

after rebuild & reboot. No massive deal, I'll just run ntpd as root for now, but there's definitely something funny going on.

Cheers
David

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stefan Richter: "Re: [GIT PATCH] SCSI updates for 2.6.25"
Previous message: Woodruff, Richard: "RE: Higer latency with dynamic tick (need for an io-ondemand govenor?)"
In reply to: David: "2.6.25 Kernel - Problems with capabilities"
Next in thread: Casey Schaufler: "Re: 2.6.25 Kernel - Problems with capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]