In spite of my exams-period beginning next week, I managed to do something useful for GSoC :).
What did I do this week:
In order to do some better testing I wanted to patch some ebuilds, as I said last week. The question there is, how do you find out which caps the file needs to function? I consulted Friedhoffs page [0] again and downloaded capable_probe. This neat loadable kernel module detects when a program asks for caps and prints it in /var/log/messages. All you need is CONFIG_KPROBES=y in your kernel.
I tried it out and unfortunately it didn’t work. I remembered vaguely, that the caps-format had been changed recently, but I was busy with learning so I didn’t bother to look for the problem (but I came back later :)).
Friedhoff has some example caps-sets on his page and there are also some on [1], so I used these and patched shadow, pam and util-linux.
The patched binaries are:
- passwd - CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER
- chsh - CAP_CHOWN, CAP_DAC_READ_SEARCH, CAP_FSETID, CAP_SETUID
- chfn - CAP_CHOWN, CAP_DAC_READ_SEARCH, CAP_FSETID, CAP_SETUID
- chage - CAP_DAC_READ_SEARCH
- expiry - CAP_DAC_OVERRIDE, CAP_SETGID
- gpasswd - CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETUID
- newgrp - CAP_DAC_OVERRIDE, CAP_SETGID
- su - CAP_SETGID, CAP_SETUID (this only seems to work, when unix_chkpwd has its cap)
- mount - CAP_DAC_OVERRIDE, CAP_SYS_ADMIN
- umount - CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, (CAP_CHOWN)
- unix_chkpwd - CAP_DAC_OVERRIDE
After testing them, all worked except umount. So to investigate what was missing I turned back to capable_probe. After a bit of digging through kernel docs and sources, the problem was quite clear: The signature of cap_capable had changed (the method which was used to place the Jprobe-hook on). After adapting the signature it worked!
Using capable_probe I detected that umount was asking for CAP_CHOWN, which was not in its set. Because umount failed when trying to move mtab.tmp back to mtab, it seemed reasonable, that CAP_CHOWN could help. And it did :).
All in all I’m very happy today and will write a separate post on capable_probe. I added the patched version to my git-repo [2].
I would be even happier :D if someone would try my patched ebuilds and tell me if all is okay or if there is something missing.
[0] http://www.friedhoff.org/posixfilecaps.html
[1] http://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid
[2] http://github.com/constanze/GSoC2010_Gentoo_Capabilities/tree/master/capable_probe/
Nice work! I tried your overlay on my server machine (~amd64) and it worked like a charm.
What I’d appreciate is some wikipage e.g. on gentoo-wiki.com or a sticky post on forums.gentoo.org which contains some kind of “complete” documentation on prerequisites and steps to do to convert your suid-based Gentoo to a caps-based one :wink:
Anyways: Keep up the good work!
Cool, thanks for taking it for a test-drive :D.
I compiled a quick wiki-page in my github-page:
http://wiki.github.com/constanze/GSoC2010_Gentoo_Capabilities/how-to-make-your-gentoo-system-setuid-free
Let me know, if there is something missing.
When the project is finished, there will hopefully be a page in the gentoo-wiki :).