diff options
author | Andrew G Morgan <morgan@kernel.org> | 2013-12-24 11:12:54 -0800 |
---|---|---|
committer | Andrew G Morgan <morgan@kernel.org> | 2013-12-24 11:12:54 -0800 |
commit | 12ea42e59cbac9b6c58ac81af577086beda86ead (patch) | |
tree | ee13e810ba1c9f1a4ed8ca3a5ab439cf055ba158 /progs | |
parent | 93308182d4a8837adddb803cde4f7efda37d6273 (diff) | |
download | libcap2-12ea42e59cbac9b6c58ac81af577086beda86ead.tar.gz |
Stop using ping to test privilege use.
It appears that ping has been modified to hard-code non-file-capability
acquired privilege use. That is, it requires PR_SET_KEEPCAPS (a legacy
supporting secure bit) to function in order for ping to work. As such, we
can't rely on it for quicktest.sh. Instead, we use a copy of capsh
enhanced with file-caps for our test cases.
Thanks to Serge Hallyn @ Ubuntu for figuring out what broke.
Signed-off-by: Andrew G Morgan <morgan@kernel.org>
Diffstat (limited to 'progs')
-rwxr-xr-x | progs/quicktest.sh | 44 |
1 files changed, 26 insertions, 18 deletions
diff --git a/progs/quicktest.sh b/progs/quicktest.sh index be3fa7d..ca6bf1e 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -44,18 +44,23 @@ pass_capsh () { pass_capsh --print -# Make a local non-setuid-0 version of ping -cp /bin/ping . && chmod -s ./ping -# Give it the forced capability it needs -./setcap all=ep ./ping +# Make a local non-setuid-0 version of capsh and call it privileged +cp ./capsh ./privileged && chmod -s ./privileged +if [ $? -ne 0 ]; then + echo "Failed to copy capsh for capability manipulation" + exit 1 +fi + +# Give it the forced capability it could need +./setcap all=ep ./privileged if [ $? -ne 0 ]; then echo "Failed to set all capabilities on file" exit 1 fi -./setcap cap_net_raw=ep ./ping +./setcap cap_setuid,cap_setgid=ep ./privileged if [ $? -ne 0 ]; then - echo "Failed to set single capability on ping file" + echo "Failed to set limited capabilities on privileged file" exit 1 fi @@ -75,37 +80,40 @@ pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin # This fails, on 2.6.24, but shouldn't pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --forkfor=10 --caps= --print --killit=9 --print" -rm -f tcapsh - # only continue with these if --secbits is supported ./capsh --secbits=0x2f > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "unable to test securebits manipulation - assume not supported (PASS)" - rm -f ./ping + rm -f tcapsh + rm -f privileged exit 0 fi pass_capsh --secbits=42 --print fail_capsh --secbits=32 --keep=1 --keep=0 --print pass_capsh --secbits=10 --keep=0 --keep=1 --print -fail_capsh --secbits=47 -- -c "ping -c1 localhost" +fail_capsh --secbits=47 -- -c "./tcapsh --user=nobody" + +rm -f tcapsh # Suppress uid=0 privilege -fail_capsh --secbits=47 --print -- -c "/bin/ping -c1 localhost" +fail_capsh --secbits=47 --print -- -c "./capsh --user=nobody" -# suppress uid=0 privilege and test this ping -pass_capsh --secbits=0x2f --print -- -c "./ping -c1 localhost" +# suppress uid=0 privilege and test this privileged +pass_capsh --secbits=0x2f --print -- -c "./privileged --user=nobody" # observe that the bounding set can be used to suppress this forced capability -fail_capsh --drop=cap_net_raw,cap_chown --secbits=0x2f --print -- -c "./ping -c1 localhost" +fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=nobody" # change the way the capability is obtained (make it inheritable) -./setcap cap_net_raw=ei ./ping +./setcap cap_setuid,cap_setgid=ei ./privileged -pass_capsh --secbits=47 --inh=cap_net_raw --drop=cap_net_raw \ - --uid=500 --print -- -c "./ping -c1 localhost" +# Note, the bounding set (edited with --drop) only limits p +# capabilities, not i's. +pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \ + --uid=500 --print -- -c "./privileged --user=nobody" -rm -f ./ping +rm -f ./privileged # test that we do not support capabilities on setuid shell-scripts cat > hack.sh <<EOF |