--- libcap-1.10.orig/doc/old/cap_set_fd.3 +++ libcap-1.10/doc/old/cap_set_fd.3 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 --- libcap-1.10.orig/doc/old/cap_set_file.3 +++ libcap-1.10/doc/old/cap_set_file.3 @@ -0,0 +1 @@ +.so man3/cap_get_file.3 --- libcap-1.10.orig/doc/capset.2 +++ libcap-1.10/doc/capset.2 @@ -1 +1 @@ -.so man2/capget.2 +#.so man2/capget.2 --- libcap-1.10.orig/doc/Makefile +++ libcap-1.10/doc/Makefile @@ -7,7 +7,7 @@ topdir=$(shell pwd)/.. include $(topdir)/Make.Rules -MAN2S = capget.2 capset.2 +#MAN2S = capget.2 MAN3S = cap_init.3 cap_free.3 cap_dup.3 \ cap_clear.3 cap_get_flag.3 cap_set_flag.3 \ cap_get_proc.3 cap_set_proc.3 \ --- libcap-1.10.orig/Make.Rules +++ libcap-1.10/Make.Rules @@ -8,7 +8,7 @@ # common 'packaging' directoty -FAKEROOT= +FAKEROOT=$(DESTDIR) # Autoconf-style prefixes are activated when $(prefix) is defined. # Otherwise binaries and libraraies are installed in /{lib,sbin}/, @@ -18,13 +18,13 @@ exec_prefix=$(prefix) lib_prefix=$(exec_prefix) inc_prefix=$(lib_prefix) -man_prefix=$(prefix) +man_prefix=$(prefix)/share else prefix=/usr exec_prefix= lib_prefix=$(exec_prefix) inc_prefix=$(prefix) -man_prefix=$(prefix) +man_prefix=$(prefix)/share endif # Target directories @@ -42,7 +42,7 @@ # Compilation specifics CC=gcc -COPTFLAGS=-O2 +COPTFLAGS=-O2 DEBUG=-g #-DDEBUG WARNINGS=-ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ -Wpointer-arith -Wcast-qual -Wcast-align \ --- libcap-1.10.orig/Makefile +++ libcap-1.10/Makefile @@ -3,17 +3,20 @@ # # Makefile for libcap +ifndef topdir topdir=$(shell pwd) -include Make.Rules +endif +include $(topdir)/Make.Rules +DESTDIR= # # flags # all install clean: %: %-here - make -C libcap $(MAKE_DEFS) $@ - make -C progs $(MAKE_DEFS) $@ - make -C doc $(MAKE_DEFS) $@ + make -C $(topdir)/libcap $(MAKE_DEFS) $@ + make -C $(topdir)/progs $(MAKE_DEFS) $@ + make -C $(topdir)/doc $(MAKE_DEFS) $@ all-here: --- libcap-1.10.orig/libcap/include/sys/capability.h +++ libcap-1.10/libcap/include/sys/capability.h @@ -21,7 +21,288 @@ */ #include <sys/types.h> -#include <linux/capability.h> +/* + * This is <linux/capability.h> + * + * Andrew G. Morgan <morgan@transmeta.com> + * Alexander Kjeldaas <astor@guardian.no> + * with help from Aleph1, Roland Buresund and Andrew Main. + * + * See here for the libcap library ("POSIX draft" compliance): + * + * ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ + */ + +#ifndef _LINUX_CAPABILITY_H +#define _LINUX_CAPABILITY_H + +#include <linux/types.h> +/*#include <linux/fs.h>*/ + +/* User-level do most of the mapping between kernel and user + capabilities based on the version tag given by the kernel. The + kernel might be somewhat backwards compatible, but don't bet on + it. */ + +/* XXX - Note, cap_t, is defined by POSIX to be an "opaque" pointer to + a set of three capability sets. The transposition of 3*the + following structure to such a composite is better handled in a user + library since the draft standard requires the use of malloc/free + etc.. */ + +#define _LINUX_CAPABILITY_VERSION 0x19980330 + +typedef struct __user_cap_header_struct { + __u32 version; + int pid; +} *cap_user_header_t; + +typedef struct __user_cap_data_struct { + __u32 effective; + __u32 permitted; + __u32 inheritable; +} *cap_user_data_t; + +#ifdef __KERNEL__ + +/* #define STRICT_CAP_T_TYPECHECKS */ + +#ifdef STRICT_CAP_T_TYPECHECKS + +typedef struct kernel_cap_struct { + __u32 cap; +} kernel_cap_t; + +#else + +typedef __u32 kernel_cap_t; + +#endif + +#define _USER_CAP_HEADER_SIZE (2*sizeof(__u32)) +#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) + +#endif + + +/** + ** POSIX-draft defined capabilities. + **/ + +/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this + overrides the restriction of changing file ownership and group + ownership. */ + +#define CAP_CHOWN 0 + +/* Override all DAC access, including ACL execute access if + [_POSIX_ACL] is defined. Excluding DAC access covered by + CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_OVERRIDE 1 + +/* Overrides all DAC restrictions regarding read and search on files + and directories, including ACL restrictions if [_POSIX_ACL] is + defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_READ_SEARCH 2 + +/* Overrides all restrictions about allowed operations on files, where + file owner ID must be equal to the user ID, except where CAP_FSETID + is applicable. It doesn't override MAC and DAC restrictions. */ + +#define CAP_FOWNER 3 + +/* Overrides the following restrictions that the effective user ID + shall match the file owner ID when setting the S_ISUID and S_ISGID + bits on that file; that the effective group ID (or one of the + supplementary group IDs) shall match the file owner ID when setting + the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are + cleared on successful return from chown(2) (not implemented). */ + +#define CAP_FSETID 4 + +/* Used to decide between falling back on the old suser() or fsuser(). */ + +#define CAP_FS_MASK 0x1f + +/* Overrides the restriction that the real or effective user ID of a + process sending a signal must match the real or effective user ID + of the process receiving the signal. */ + +#define CAP_KILL 5 + +/* Allows setgid(2) manipulation */ +/* Allows setgroups(2) */ +/* Allows forged gids on socket credentials passing. */ + +#define CAP_SETGID 6 + +/* Allows set*uid(2) manipulation (including fsuid). */ +/* Allows forged pids on socket credentials passing. */ + +#define CAP_SETUID 7 + + +/** + ** Linux-specific capabilities + **/ + +/* Transfer any capability in your permitted set to any pid, + remove any capability in your permitted set from any pid */ + +#define CAP_SETPCAP 8 + +/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ + +#define CAP_LINUX_IMMUTABLE 9 + +/* Allows binding to TCP/UDP sockets below 1024 */ +/* Allows binding to ATM VCIs below 32 */ + +#define CAP_NET_BIND_SERVICE 10 + +/* Allow broadcasting, listen to multicast */ + +#define CAP_NET_BROADCAST 11 + +/* Allow interface configuration */ +/* Allow administration of IP firewall, masquerading and accounting */ +/* Allow setting debug option on sockets */ +/* Allow modification of routing tables */ +/* Allow setting arbitrary process / process group ownership on + sockets */ +/* Allow binding to any address for transparent proxying */ +/* Allow setting TOS (type of service) */ +/* Allow setting promiscuous mode */ +/* Allow clearing driver statistics */ +/* Allow multicasting */ +/* Allow read/write of device-specific registers */ +/* Allow activation of ATM control sockets */ + +#define CAP_NET_ADMIN 12 + +/* Allow use of RAW sockets */ +/* Allow use of PACKET sockets */ + +#define CAP_NET_RAW 13 + +/* Allow locking of shared memory segments */ +/* Allow mlock and mlockall (which doesn't really have anything to do + with IPC) */ + +#define CAP_IPC_LOCK 14 + +/* Override IPC ownership checks */ + +#define CAP_IPC_OWNER 15 + +/* Insert and remove kernel modules - modify kernel without limit */ +/* Modify cap_bset */ +#define CAP_SYS_MODULE 16 + +/* Allow ioperm/iopl access */ +/* Allow sending USB messages to any device via /proc/bus/usb */ + +#define CAP_SYS_RAWIO 17 + +/* Allow use of chroot() */ + +#define CAP_SYS_CHROOT 18 + +/* Allow ptrace() of any process */ + +#define CAP_SYS_PTRACE 19 + +/* Allow configuration of process accounting */ + +#define CAP_SYS_PACCT 20 + +/* Allow configuration of the secure attention key */ +/* Allow administration of the random device */ +/* Allow examination and configuration of disk quotas */ +/* Allow configuring the kernel's syslog (printk behaviour) */ +/* Allow setting the domainname */ +/* Allow setting the hostname */ +/* Allow calling bdflush() */ +/* Allow mount() and umount(), setting up new smb connection */ +/* Allow some autofs root ioctls */ +/* Allow nfsservctl */ +/* Allow VM86_REQUEST_IRQ */ +/* Allow to read/write pci config on alpha */ +/* Allow irix_prctl on mips (setstacksize) */ +/* Allow flushing all cache on m68k (sys_cacheflush) */ +/* Allow removing semaphores */ +/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores + and shared memory */ +/* Allow locking/unlocking of shared memory segment */ +/* Allow turning swap on/off */ +/* Allow forged pids on socket credentials passing */ +/* Allow setting readahead and flushing buffers on block devices */ +/* Allow setting geometry in floppy driver */ +/* Allow turning DMA on/off in xd driver */ +/* Allow administration of md devices (mostly the above, but some + extra ioctls) */ +/* Allow tuning the ide driver */ +/* Allow access to the nvram device */ +/* Allow administration of apm_bios, serial and bttv (TV) device */ +/* Allow manufacturer commands in isdn CAPI support driver */ +/* Allow reading non-standardized portions of pci configuration space */ +/* Allow DDI debug ioctl on sbpcd driver */ +/* Allow setting up serial ports */ +/* Allow sending raw qic-117 commands */ +/* Allow enabling/disabling tagged queuing on SCSI controllers and sending + arbitrary SCSI commands */ +/* Allow setting encryption key on loopback filesystem */ + +#define CAP_SYS_ADMIN 21 + +/* Allow use of reboot() */ + +#define CAP_SYS_BOOT 22 + +/* Allow raising priority and setting priority on other (different + UID) processes */ +/* Allow use of FIFO and round-robin (realtime) scheduling on own + processes and setting the scheduling algorithm used by another + process. */ + +#define CAP_SYS_NICE 23 + +/* Override resource limits. Set resource limits. */ +/* Override quota limits. */ +/* Override reserved space on ext2 filesystem */ +/* NOTE: ext2 honors fsuid when checking for resource overrides, so + you can override using fsuid too */ +/* Override size restrictions on IPC message queues */ +/* Allow more than 64hz interrupts from the real-time clock */ +/* Override max number of consoles on console allocation */ +/* Override max number of keymaps */ + +#define CAP_SYS_RESOURCE 24 + +/* Allow manipulation of system clock */ +/* Allow irix_stime on mips */ +/* Allow setting the real-time clock */ + +#define CAP_SYS_TIME 25 + +/* Allow configuration of tty devices */ +/* Allow vhangup() of tty */ + +#define CAP_SYS_TTY_CONFIG 26 + +/* Allow the privileged aspects of mknod() */ + +#define CAP_MKNOD 27 + +/* Allow taking of leases on files */ + +#define CAP_LEASE 28 + +#endif /* !_LINUX_CAPABILITY_H */ + + /* * POSIX capability types --- libcap-1.10.orig/libcap/Makefile +++ libcap-1.10/libcap/Makefile @@ -24,12 +24,15 @@ # # defines # +ifndef $(topdir) topdir=$(shell pwd)/.. -include ../Make.Rules +endif +include $(topdir)/Make.Rules + # # Library version # -LIBNAME=libcap.so +LIBNAME=libcap # FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_sys @@ -39,10 +42,11 @@ INCLS=libcap.h cap_names.h $(INCS) OBJS=$(addsuffix .o, $(FILES)) -MAJLIBNAME=$(LIBNAME).$(VERSION) +LOBJS=$(addsuffix .lo, $(FILES)) +MAJLIBNAME=$(LIBNAME).so.$(VERSION) MINLIBNAME=$(MAJLIBNAME).$(MINOR) -all: $(MINLIBNAME) +all: $(MINLIBNAME) $(LIBNAME).a _makenames: _makenames.c cap_names.sed $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ @@ -50,31 +54,38 @@ cap_names.h: _makenames ./_makenames > cap_names.h -cap_names.sed: Makefile /usr/include/linux/capability.h - @echo "=> making cap_names.c from <linux/capability.h>" - @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0-9]\+/{s/^#define \([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < /usr/include/linux/capability.h | fgrep -v 0x > cap_names.sed -# @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0-9]\+/{s/^#define CAP_\([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < /usr/include/linux/capability.h | fgrep -v 0x > cap_names.sed +cap_names.sed: Makefile include/sys/capability.h + @echo "=> making cap_names.c from <sys/capability.h>" + @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0-9]\+/{s/^#define \([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < include/sys/capability.h | fgrep -v 0x > cap_names.sed # @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0-9]\+/{s/^#define CAP_\([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < /usr/include/linux/capability.h | fgrep -v 0x > cap_names.sed + +$(LIBNAME).a: $(OBJS) + ar cruv $(LIBNAME).a $(OBJS) -$(MINLIBNAME): $(OBJS) - $(LD) -soname $(MAJLIBNAME) -x -shared -o $@ $(OBJS) +$(MINLIBNAME): $(LOBJS) + $(CC) -shared -fPIC -Wl,-soname,$(MAJLIBNAME) -o $@ $(LOBJS) ln -sf $(MINLIBNAME) $(MAJLIBNAME) - ln -sf $(MAJLIBNAME) $(LIBNAME) + ln -sf $(MAJLIBNAME) $(LIBNAME).so %.o: %.c $(INCLS) $(CC) $(CFLAGS) -c $< -o $@ +%.lo: %.c $(INCLS) + $(CC) $(CFLAGS) -fPIC -c $< -o $@ + + install: all mkdir -p -m 0755 $(INCDIR)/sys install -m 0644 include/sys/capability.h $(INCDIR)/sys mkdir -p -m 0755 $(LIBDIR) + install -m 0644 $(LIBNAME).a $(LIBDIR) install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME) ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME) - ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME) + ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME).so -/sbin/ldconfig clean: $(LOCALCLEAN) - rm -f $(OBJS) $(LIBNAME)* + rm -f $(OBJS) $(LOBJS) $(LIBNAME).a $(LIBNAME).so* rm -f cap_names.h cap_names.sed _makenames cd include/sys && $(LOCALCLEAN) --- libcap-1.10.orig/libcap/_makenames.c +++ libcap-1.10/libcap/_makenames.c @@ -9,7 +9,7 @@ #include <stdio.h> #include <stdlib.h> -#include <linux/capability.h> +#include <sys/capability.h> /* * #include 'sed' generated array --- libcap-1.10.orig/libcap/cap_sys.c +++ libcap-1.10/libcap/cap_sys.c @@ -10,7 +10,8 @@ #include "libcap.h" #define __LIBRARY__ #include <linux/unistd.h> - +/* glic >= 2.1 knows capset/capget. no need to define it here */ +/* _syscall2(int, capget, cap_user_header_t, header, cap_user_data_t, data) @@ -18,7 +19,7 @@ _syscall2(int, capset, cap_user_header_t, header, const cap_user_data_t, data) - +*/ /* * $Log: libcap-1.10-debian.patch,v $ * Revision 1.1 2006/10/29 23:14:00 jgc * upgpkg: libcap 1.10-2 * Remove amd64 patches that messed things up * Apply debian patch to make it build again * Remove empty man2 directory the right way * * Revision 1.1.1.1 1999/04/17 22:16:31 morgan --- libcap-1.10.orig/capfaq-0.2.txt +++ libcap-1.10/capfaq-0.2.txt @@ -0,0 +1,264 @@ +This is the Linux kernel capabilities FAQ + +Its history, to the extent that I am able to reconstruct it is that +v2.0 was posted to the Linux kernel list on 1999/04/02 by Boris +Tobotras. Thanks to Denis Ducamp for forwarding me a copy. + +Cheers + +Andrew + +Linux Capabilities FAQ 0.2 +========================== + +1) What is a capability? + +The name "capabilities" as used in the Linux kernel can be confusing. +First there are Capabilities as defined in computer science. A +capability is a token used by a process to prove that it is allowed to +do an operation on an object. The capability identifies the object +and the operations allowed on that object. A file descriptor is a +capability. You create the file descriptor with the "open" call and +request read or write permissions. Later, when doing a read or write +operation, the kernel uses the file descriptor as an index into a +data structure that indicates what operations are allowed. This is an +efficient way to check permissions. The necessary data structures are +created once during the "open" call. Later read and write calls only +have to do a table lookup. Operations on capabilities include copying +capabilities, transferring capabilities between processes, modifying a +capability, and revoking a capability. Modifying a capability can be +something like taking a read-write filedescriptor and making it +read-only. A capability often has a notion of an "owner" which is +able to invalidate all copies and derived versions of a capability. +Entire OSes are based on this "capability" model, with varying degrees +of purity. There are other ways of implementing capabilities than the +file descriptor model - traditionally special hardware has been used, +but modern systems also use the memory management unit of the CPU. + +Then there is something quite different called "POSIX capabilities" +which is what Linux uses. These capabilities are a partitioning of +the all powerful root privilege into a set of distinct privileges (but +look at securelevel emulation to find out that this isn't necessary +the whole truth). Users familiar with VMS or "Trusted" versions of +other UNIX variants will know this under the name "privileges". The +name "capabilities" comes from the now defunct POSIX draft 1003.1e +which used this name. + +2) So what is a "POSIX capability"? + +A process has three sets of bitmaps called the inheritable(I), +permitted(P), and effective(E) capabilities. Each capability is +implemented as a bit in each of these bitmaps which is either set or +unset. When a process tries to do a privileged operation, the +operating system will check the appropriate bit in the effective set +of the process (instead of checking whether the effective uid of the +process i 0 as is normally done). For example, when a process tries +to set the clock, the Linux kernel will check that the process has the +CAP_SYS_TIME bit (which is currently bit 25) set in its effective set. + +The permitted set of the process indicates the capabilities the +process can use. The process can have capabilities set in the +permitted set that are not in the effective set. This indicates that +the process has temporarily disabled this capability. A process is +allowed to set a bit in its effective set only if it is available in +the permitted set. The distinction between effective and permitted +exists so that processes can "bracket" operations that need privilege. + +The inheritable capabilities are the capabilities of the current +process that should be inherited by a program executed by the current +process. The permitted set of a process is masked against the +inheritable set during exec(). Nothing special happens during fork() +or clone(). Child processes and threads are given an exact copy of +the capabilities of the parent process. + +3) What about other entities in the system? Users, Groups, Files? + +Files have capabilities. Conceptually they have the same three +bitmaps that processes have, but to avoid confusion we call them by +other names. Only executable files have capabilities, libraries don't +have capabilities (yet). The three sets are called the allowed set, +the forced set, and the effective set. + +The allowed set indicates what capabilities the executable is allowed +to receive from an execing process. This means that during exec(), +the capabilities of the old process are first masked against a set +which indicates what the process gives away (the inheritable set of +the process), and then they are masked against a set which indicates +what capabilities the new process image is allowed to receive (the +allowed set of the executable). + +The forced set is a set of capabilities created out of thin air and +given to the process after execing the executable. The forced set is +similar in nature to the setuid feature. In fact, the setuid bit from +the filesystem is "read" as a full forced set by the kernel. + +The effective set indicates which bits in the permitted set of the new +process should be transferred to the effective set of the new process. +The effective set is best thought of as a "capability aware" set. It +should consist of only 1s if the executable is capability-dumb, or +only 0s if the executable is capability-smart. Since the effective +set consists of only 0s or only 1s, the filesystem can implement this +set using a single bit. + +NOTE: Filesystem support for capabilities is not part of Linux 2.2. + +Users and Groups don't have associated capabilities from the kernel's +point of view, but it is entirely reasonable to associate users or +groups with capabilities. By letting the "login" program set some +capabilities it is possible to make role users such as a backup user +that will have the CAP_DAC_READ_SEARCH capability and be able to do +backups. This could also be implemented as a PAM module, but nobody +has implemented one yet. + +4) What capabilities exist? + +The capabilities available in Linux are listed and documented in the +file /usr/src/linux/include/linux/capability.h. + +5) Are Linux capabilities hierarchical? + +No, you cannot make a "subcapability" out of a Linux capability as in +capability-based OSes. + +6) How can I use capabilities to make sure Mr. Evil Luser (eluser) +can't exploit my "suid" programs? + +This is the general outline of how this works given filesystem +capability support exists. First, you have a PAM module that sets the +inheritable capabilities of the login-shell of eluser. Then for all +"suid" programs on the system, you decide what capabilities they need +and set the _allowed_ set of the executable to that set of +capabilities. The capability rules + + new permitted = forced | (allowed & inheritable) + +means that you should be careful about setting forced capabilities on +executables. In a few cases, this can be useful though. For example +the login program needs to set the inheritable set of the new user and +therefore needs an almost full permitted set. So if you want eluser +to be able to run login and log in as a different user, you will have +to set some forced bits on that executable. + +7) What about passing capabilities between processes? + +Currently this is done by the system call "setcap" which can set the +capabilities of another process. This requires the CAP_SETPCAP +capability which you really only want to grant a _few_ processes. +CAP_SETPCAP was originally intended as a workaround to be able to +implement filesystem support for capabilities using a daemon outside +the kernel. + +There has been discussions about implementing socket-level capability +passing. This means that you can pass a capability over a socket. No +support for this exists in the official kernel yet. + +8) I see securelevel has been removed from 2.2 and are superceeded by +capabilities. How do I emulate securelevel using capabilities? + +The setcap system call can remove a capability from _all_ processes on +the system in one atomic operation. The setcap utility from the +libcap distribution will do this for you. The utility requires the +CAP_SETPCAP privilege to do this. The CAP_SETPCAP capability is not +enabled by default. + +libcap is available from +ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ + +9) I noticed that the capability.h file lacks some capabilities that +are needed to fully emulate 2.0 securelevel. Is there a patch for +this? + +Actually yes - funny you should ask :-). The problem with 2.0 +securelevel is that they for example stop root from accessing block +devices. At the same time they restrict the use of iopl. These two +changes are fundamentally different. Blocking access to block devices +means restricting something that usually isn't restricted. +Restricting access to the use of iopl on the other hand means +restricting (blocking) access to something that is already blocked. +Emulating the parts of 2.0 securelevel that restricts things that are +normally not restricted means that the capabilites in the kernel has +to have a set of capabilities that are usually _on_ for a normal +process (note that this breaks the explanation that capabilities are a +partitioning of the root privileges). There is an experimental patch at + +ftp://ftp.guardian.no/pub/free/linux/capabilities/patch-cap-exp-1 + +which implements a set of capabilities with the "CAP_USER" prefix: + +cap_user_sock - allowed to use socket() +cap_user_dev - allowed to open char/block devices +cap_user_fifo - allowed to use pipes + +These should be enough to emulate 2.0 securelevel (tell me if we need +something more). + +10) Seems I need a CAP_SETPCAP capability that I don't have to make use +of capabilities. How do I enable this capability? + +Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the +following in include/linux/capability.h: + +#define CAP_INIT_EFF_SET { ~0 } +#define CAP_INIT_INH_SET { ~0 } + +This will start init with a full capability set and not with +CAP_SETPCAP removed. + +11) How do I start a process with a limited set of capabilities? + +Get the libcap library and use the execcap utility. The following +example starts the update daemon with only the CAP_SYS_ADMIN +capability. + +execcap 'cap_sys_admin=eip' update + +12) How do I start a process with a limited set of capabilities under +another uid? + +Use the sucap utility which changes uid from root without loosing any +capabilities. Normally all capabilities are cleared when changing uid +from root. The sucap utility requires the CAP_SETPCAP capability. +The following example starts updated under uid updated and gid updated +with CAP_SYS_ADMIN raised in the Effective set. + +sucap updated updated execcap 'cap_sys_admin=eip' update + +[ Sucap is currently available from +ftp://ftp.guardian.no/pub/free/linux/capabilities/sucap.c. Put it in +the progs directory of libcap to compile.] + +13) What are the "capability rules" + +The capability rules are the rules used to set the capabilities of the +new process image after an exec. They work like this: + + pI' = pI + (***) pP' = fP | (fI & pI) + pE' = pP' & fE [NB. fE is 0 or ~0] + + I=Inheritable, P=Permitted, E=Effective // p=process, f=file + ' indicates post-exec(). + +Now to make sense of the equations think of fP as the Forced set of +the executable, and fI as the Allowed set of the executable. Notice +how the Inheritable set isn't touched at all during exec(). + +14) What are the laws for setting capability bits in the Inheritable, +Permitted, and Effective sets? + +Bits can be transferred from Permitted to either Effective or +Inheritable set. + +Bits can be removed from all sets. + +15) Where is the standard on which the Linux capabilities are based? + +There used to be a POSIX draft called POSIX.6 and later POSIX 1003.1e. +However after the committee had spent over 10 years, POSIX decided +that enough is enough and dropped the draft. There will therefore not +be a POSIX standard covering security anytime soon. This may lead to +that the POSIX draft is available for free, however. + +-- + Best regards, -- Boris. +