Hi Aurélien, On 2020-11-24 13:11, Aurélien Aptel wrote: > This sounds good but I'm not very familiar with libcap, any ideas how we > can test those code paths? a simple integration test would be trying to run mount.cifs as a setuid binary with normal user rights. With libcap-ng 0.8.1 and an unpatched version of cifs-utils 6.11, this will result in the error message "Unable to apply new capability set." $ git clone --branch=cifs-utils-6.11 https://git.samba.org/cifs-utils.git $ cd cifs-utils $ autoreconf -i $ ./configure $ make $ sudo chown root:root ./mount.cifs $ sudo chmod u+s ./mount.cifs $ ./mount.cifs test /mnt Unable to apply new capability set. After applying the patch series, mount.cifs will work normally: $ ./mount.cifs test /mnt mount.cifs: permission denied: no match for /mnt found in /etc/fstab For cifs.upcall, I guess this is usually run with elevated privileges, so it will normally have CAP_SETPCAP, but for testing purposes, we can grant the necessary capabilities manually and run as a normal user: $ sudo setcap cap_setuid,cap_setgid,cap_sys_ptrace,cap_dac_read_search=ep ./cifs.upcall $ ./cifs.upcall Without the patch, this will fail with an empty stderr and an error of "trim_capabilities: Unable to apply capability set: Success" in the syslog. With the patch, applying the capabilities succeeds and the usage information Usage: cifs.upcall [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial is displayed on stderr. Best, Jonas
Attachment:
signature.asc
Description: PGP signature
