Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] compartment(chroot), capabilities and user on kernel 2.4
  • From: Andreas Amann <andreas.amann@xxxxxxxx>
  • Date: Thu, 10 Jan 2002 13:00:05 +0100 (CET)
  • Message-id: <200201101200.g0AC05Yo002482@xxxxxxxxxxxxxxxx>
On Wed, 9 Jan 2002, Dietrich Meyer wrote:

> Hi all,
>
> in the documentation ot the compartment script (of SUSE 7.3), I found a note
> that under kernel 2.4, it would be possible to use capabilities together with
> a non-root user, which was impossible for kernels 2.2.x.
>
> I tried to get it to work (in my case, BIND8 using the init_bind8 script from
> the compartment-documentation).
> I modified the script so that a minimal /etc/passwd and /etc/group was put
> into the chroot-dir,and "chowned" /var/named to the new user.
> Finally, I changed the call to compartment, added '--user newuser' and
> changed '--group newgroup'. But wouldn't start :-(
>
> So my question: Is it in principle possible to use different users (non-root)
> together with capabilities? If yes, I will try a bit more..... Or maybe if
> anybody sees something obvious missing in my procedure, please tell me.
> Thanks!!!!
>

I had a similar problem with that some while ago.
Capabilities are disabled for kernels > 2.2.14. Processes with uid 0 have the
full set of capabilities, others have an empty set. Compartment's --cap option
therefore has no effect. You must patch <linux/capability.h> to be able to use
it again but IIRC there was a problem with setuid() that makes this a bit
dangerous. I think you can find more information at http://www.securityfocus.com.


--
Best regards / Mit freundlichen Gruessen,
Andreas Amann < andreas dot amann at epost dot de >
===================================================


< Previous Next >
References