On Tue, Feb 10, 2009 at 3:38 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: > Quoting Xavier Toth (txtoth@xxxxxxxxx): >> On Tue, Feb 10, 2009 at 2:33 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > On Tue, 2009-02-10 at 14:20 -0600, Xavier Toth wrote: >> >> On Tue, Feb 10, 2009 at 12:34 PM, Serge E. Hallyn <serue@xxxxxxxxxx> wrote: >> >> > Quoting Xavier Toth (txtoth@xxxxxxxxx): >> >> >> I was not putting capabilities on the script but rather on a compiled >> >> >> wrapper which execs a python script in which I need to do auditing. >> >> >> Will this not work? >> >> > >> >> > No, because of the way capabilities are re-calculated on exec(). >> >> > >> >> > pI' = pI >> >> > pP' = (X&fP) | (pI & fI) >> >> > pE' = fE ? pP' : 0 >> >> > >> >> > So since the interpreter has fI=fP=fE=0 and is not setuid root (which >> >> > would fill in fP and/or fE to emulate privileged root), pP' and pE' will >> >> > be empty after exec(). >> >> > >> >> > Now you could use a wrapper as follows: Have the wrapper fill pI, >> >> > and then fill fI on the python interpreter. Any user who has an >> >> > empty pI (which generally is all users) will execute python scripts >> >> > with no privilege, but when the wrapper execs the script, pP' will >> >> > be filled with (pI&fI) = full. >> >> > >> >> > -serge >> >> > >> >> >> >> Thanks for the clarification. >> >> For anyone one that is interested I've included some test code. The >> >> wrapper is a modified version of a wrapper Stephen sent me a link to. >> >> Basic steps to test are: >> >> 1) edit the wrapper to set the path to the audit_test.py script >> >> 2) compiler the wrapper >> >> gcc -o audit-wrapper audit-wrapper.c -lcap >> >> 3) set the capabilities on the wrapper and python >> >> setcap cap_audit_write,cap_setfcap=epi audit-wrapper >> > >> > Why cap_setfcap (set file capability)? >> >> The wrapper adds the 'i' back to cap_audit_write as it goes away when >> audit-wrapper runs. > >> I was printing the capabilities in the wrapper for >> debug purposes when I noticed that it capabilities were "= >> cap_audit_write,cap_setfcap+ep". I think without the i cap_audit_write >> can't be inherited by the child process. >> >> > And do you need to set fI on the wrapper at all, given that it isn't >> > inheriting anything from its caller? >> >> Without cap_setfcap cap_set_proc fails, without cap_audit_write >> cap_set_proc fails (see cap_set_proc man page). >> >> > >> >> setcap cap_audit_write=ei /usr/bin/python >> > >> > Is setting fE required on the interpreter? >> >> I tried 'i' only it wouldn't work without 'e'. > > Right, without 'e' the final exec() will end up with > cap_audit_write in pP' but not pE', so you won't be > able to actually exercise the privilege (without using > cap_set_proc() which I assume python doesn't support). > > It's no big deal, but your use of fI still is more liberal > than it needs to be. The following should suffice: > > setcap cap_audit_write=p audit-wrapper > setcap cap_audit_write=ei /usr/bin/python > > Now anyone running audit-wrapper will get cap_audit_write > in pP', but not be able to exercise it (it's not in pE'). > Audit-wrapper can put cap_audit_write into pI because it's > in pP. Finally, when audit-wrapper execs the python script, > that will run with pP'=pI'=pP'=cap_audit_write. > > -serge > You're right 'setcap cap_audit_write=p audit-wrapper' is sufficient. Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
