more libcap2

Robert Connolly robert at linuxfromscratch.org
Thu Oct 2 21:45:59 PDT 2008


On Friday October 3 2008 12:39:01 am Robert Connolly wrote:
> On Friday October 3 2008 12:12:15 am Robert Connolly wrote:
> > Another suid-root dropped:
> >
> > chmod -s /bin/su
> > setcap CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID=ep /bin/su
> >
> > robert
>
> /bin/su seems to want to reset the gid, and probably the uid, of
> /etc/shadow, according to Strace.
>
> Regardless of the comments in /usr/include/linux/capability.h, it looks
> like CAP_DAC_READ_SEARCH allows writting to /etc/shadow.
>
> If I remove CAP_DAC_READ_SEARCH, and make /etc/shadow group
> read/writable, /bin/su works. Each has pros and cons, and I don't know
> which is better.
>
> This might be a bug in CAP_DAC_READ_SEARCH... somehow FOWNER was mixed in.
>
> Opinions, debug help?
>
> robert

Sorry, but to clarify, if /bin/su has CAP_DAC_READ_SEARCH, the permissions 
on /etc/shadow can remain read-only by root. Removing CAP_DAC_READ_SEARCH 
gives a setgid error... strace isn't clear, but i think the error is caused 
by /ets/shadow's write permissions.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20081003/2d742167/attachment.sig>


More information about the hlfs-dev mailing list