Quoting Serge E. Hallyn (serue@xxxxxxxxxx):
> Quoting Mike Kazantsev (mk.fraggod@xxxxxxxxx):
> > CAP_DAC_READ_SEARCH seem to be well-suited and sufficient for the task,
> > according to docs:
> >
> > Bypass file read permission checks and directory read and execute
> > permission checks.
> >
> >
> > I can see it bypassing directory checks, but it fails to bypass file
> > permission check.
> >
> > For example, following code fails with "Capability: 1, Error: Permission
> > denied" on any file with 0000 permissions or, for example,
> > "/root/test1" file with 700 permissions, while succeeding for
> > "/root/test2" file with 755, with "/root" path having 700 mode and uid
> > of test-user is non-root.
> > Getcap of a binary gives "= cap_dac_read_search+eip", which is
> > consistent with capng_have_capability result.
> >
> > #include <stdio.h>
> > #include <errno.h>
> >
> > #include <sys/types.h>
> > #include <sys/stat.h>
> > #include <fcntl.h>
> >
> > #include <cap-ng.h>
> >
> > int main(int argc, char **argv) {
> >
> > printf( "Capability: %d, ",
> > capng_have_capability(CAPNG_EFFECTIVE, CAP_DAC_READ_SEARCH) );
> >
> > int fd;
> > if ((fd = open(argv[1], O_RDONLY)) == -1) {
> > printf("Error: %s\n", (char*) strerror(errno));
> > return(1); }
> > else {
> > close(fd);
> > return(0); }
> >
> > };
> >
> >
> > I've tried this code with the same result for ext4, reiserfs and xfs.
> > CAP_DAC_OVERRIDE works for bypassing any permissions, but it's not
> > quite what I need.
>
> To be sure, are you saying that you've tested with CAP_DAC_OVERRIDE and
> that works? Are you running with selinux enforcing?
>
> Note my own test on 2.6.33-rc2-00007-g85d1bb6 succeeds...
Egads, I'm sorry, Mike. I was sure that if there was any problem it
would be in the exec_permission_lite path, that I had only checked DAC
perms on the path. In fact, it's the DAC perms on the actual file
which are the problem. I can reproduce your problem, and the following
patch fixes it. Please confirm.
>From e923e0c84009c43748ad43d518ba9f702ad3dc1b Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@xxxxxxxxxx>
Date: Mon, 28 Dec 2009 21:11:46 -0800
Subject: [PATCH 1/1] generic_permission: MAY_OPEN is not write access
generic_permission was refusing CAP_DAC_READ_SEARCH-enabled
processes from opening DAC-protected files read-only, because
do_filp_open adds MAY_OPEN to the open mask.
Ignore MAY_OPEN. After this patch, CAP_DAC_READ_SEARCH is
again sufficient to open(fname, O_RDONLY) on a file to which
DAC otherwise refuses us read permission.
Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
fs/namei.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 68921d9..b55440b 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -232,6 +232,7 @@ int generic_permission(struct inode *inode, int mask,
/*
* Searching includes executable on directories, else just read.
*/
+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
if (capable(CAP_DAC_READ_SEARCH))
return 0;
--
1.6.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
