https://bugzilla.novell.com/show_bug.cgi?id=715426 https://bugzilla.novell.com/show_bug.cgi?id=715426#c0 Summary: Kernel doesn't interpret the extended file attribute "security.capability" Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: All OS/Version: openSUSE 11.4 Status: NEW Severity: Major Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: nice@titanic.nyme.hu QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Althought CONFIG_SECURITY_FILE_CAPABILITIES is enabled at compilation time, the kernel doesn't interpret the extended file attribute "security.capability". This means that adding capabilities to a file's permitted set and enabling it's effective bit can't be used instead setuid bits, and setting inheritable (+effecive) capabilities also don't make processes being able to inherit permitted and effective capabilties form their parents. The utilities in the PRM package libcap-progs are able to correctly set filesystem (and process) capabilities, but the kernel simply omits using them. 3.0.x kernels from http://download.opensuse.org/repositories/Kernel:/stable/standard however, are implementing file capabilities correctly! It's even bigger problem that SLES11 SP1 also suffers from the same bug. Please fix it if possible! CentOS 6.0 also using 2.6.32 (like SLES11 SP1) works well, so the problem may be caused by some SuSE kernel patch. Reproducible: Always Steps to Reproduce: As root: 1. cp /bin/ping / 2. chmod 0755 /ping 3. setcap CAP_NET_RAW=pe /ping As a normal user: /ping index.hu Actual Results: ping: icmp open socket: Operation not permitted Expected Results: PING index.hu (217.20.130.97) 56(84) bytes of data. 64 bytes from sportgeza.hu (217.20.130.97): icmp_req=1 ttl=58 time=4.25 ms 64 bytes from sportgeza.hu (217.20.130.97): icmp_req=2 ttl=58 time=3.95 ms 64 bytes from sportgeza.hu (217.20.130.97): icmp_req=3 ttl=58 time=3.94 ms -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.