diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2021-05-04 20:28:37 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2021-05-07 20:06:36 -0700 |
| commit | fe4c27de243b13973acff3cda2c8c8ff4a768855 (patch) | |
| tree | 0f117b5def631a8df86eb66d2d797c579159ae62 /doc | |
| parent | b08b523364b133d7e158968892eba48a18827142 (diff) | |
| download | libcap2-fe4c27de243b13973acff3cda2c8c8ff4a768855.tar.gz | |
Add a module argument to pam_cap.so to assist with ambient support
Some PAM applications drop privilege when they change UID, which has
the side effect of dropping ambient capabilities. We add support for
the "keepcaps" argument which can be used in an attempt by the module
to not drop permitted capabilities when performing a setuid() call.
Some experimentation may be needed to see if this works for any given
application. To not be a security bug vector, it requires the application
so configured perform an exec() to launch a user-specific operation.
This is an attempt to provide some Adminstrator support for working
around the issue observed in this bug (report by Zoltan Fridrich):
https://bugzilla.kernel.org/show_bug.cgi?id=212945
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/cap_get_proc.3 | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/doc/cap_get_proc.3 b/doc/cap_get_proc.3 index 05a6e7d..496c06e 100644 --- a/doc/cap_get_proc.3 +++ b/doc/cap_get_proc.3 @@ -3,7 +3,7 @@ cap_get_proc, cap_set_proc, capgetp, cap_get_bound, cap_drop_bound, \ cap_get_ambient, cap_set_ambient, cap_reset_ambient, \ cap_get_secbits, cap_set_secbits, cap_get_mode, cap_set_mode, \ -cap_mode_name, cap_get_pid, cap_setuid, cap_setgroups \ +cap_mode_name, cap_get_pid, cap_setuid, cap_prctl, cap_prctlw, cap_setgroups \ \- capability manipulation on processes .SH SYNOPSIS .nf @@ -25,6 +25,10 @@ unsigned cap_get_secbits(void); int cap_set_secbits(unsigned bits); cap_mode_t cap_get_mode(void); const char *cap_mode_name(cap_mode_t mode); +int cap_prctl(long int pr_cmd, long int arg1, long int arg2, + long int arg3, long int arg4, long int arg5); +int cap_prctlw(long int pr_cmd, long int arg1, long int arg2, + long int arg3, long int arg4, long int arg5); int cap_set_mode(cap_mode_t mode); #include <sys/types.h> @@ -161,6 +165,12 @@ identifies as Supported modes are: .BR CAP_MODE_NOPRIV ", " CAP_MODE_PURE1E_INIT " and " CAP_MODE_PURE1E . .PP +.BR cap_prctl () +can be used to read state via the \fBprctl\fI()\fP system call. +.PP +.BR cap_prctlw () +can be used to write state via the \fBprctl\fI()\fP system call. +.PP .BR cap_set_mode () can be used to set the desired mode. The permitted capability .B CAP_SETPCAP @@ -239,7 +249,10 @@ or, .sp When linked this way, due to linker magic, libcap uses .BR psx_syscall "(3) and " psx_syscall6 (3) -to perform state setting system calls. +to perform state setting system calls. Notably, this also ensures that +.BI cap_prctlw () +can be used to ensure process control bits are shared over all threads +of a single process. .SS capgetp() and capsetp() The library also supports the deprecated functions: .PP |