linux capabilities ?
From: jnf
Date: Thu Jan 20 2005 - 13:09:22 EST
Hi.
I have been playing a little here and there with linux capabilities, and
seem to be hitting a few snags so I was hoping to obtain some input on
their current status. The kernel on the box in question is 2.6.10, with
the CAP_INIT_EFF_SET macro modified to allow init to have CAP_SETPCAP.
I am mostly trying to accomplish this so that I can run syslog as a
non-root user and as I understand it by digging through the source, one
should be able to accomplish this with the CAP_SYS_ADMIN capability-
however this does not appear to be true ?
in kernel/printk.c I see
error = security_syslog(type)
if (error)
return error ;
which is defined in something like include/linux/security.h as a pointer
to cap_syslog(), which in turn is defined in security/commoncap.c where I
see:
if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
return -EPERM
return 0;
Type 3 is:
* 3 -- Read up to the last 4k of messages in the ring buffer.
So when I give the process CAP_SYS_ADMIN I still cannot seem to read from
/proc/kmsg, I also tried giving it CAP_DAC_OVERRIDE just to test to see if
DAC's were the problem but that didn't seem to help any.
So with that said, anyone have any idea's as to what I need to do and any
details on the current state of the capabilities would be helpful.
Thanks,
jnf
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/