Re: [libvirt] [PATCH 2/5] util: allow using virCommandAllowCap with setuid helpers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Il 27/03/2013 23:46, Eric Blake ha scritto:
That seems like a kernel flaw - it makes sense that you can't
_add_ capabilities without CAP_SETPCAP, but being unable to _drop_
capabilities without first acquiring a capability seems backwards.
I wonder if lkml would accept a patch that makes CAP_SETPCAP
unnecessary for the restriction case, and only require it for the
case of gaining capabilities.
The worry here is that dropping _some_ caps but not all lets you
exploit untested error paths in suid binaries.
The solution could be to install libvirtd as suid-root and drop all
capabilities except CAP_SETPCAP when running unprivileged.
Alternatively, you could use file capabilities to the same effect.
Paolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRcPGaAAoJEBvWZb6bTYbyYOQP/A8pZ1uDgwpeF23KMQdg2Rnl
5tt064KyjVs5NhQC8ntC1vulRQnEr0/qZt2NA7t4RiF3H2X9DVH5QmxMl6ELjxJI
/GjScuswYOP5cmdj1xHKAJdmEV76C5f5NDra1CSw9iooWOdvrYLBgEqIEEp89i2s
PKWN2GUbMesdFDgxf7mYaSqGYiIUI4UvON6bsPqJsuShyRvMsqffP+OQHbN7qNE3
O6TecxkpDFEnPJxOGKmemvLPDzTywPABaCJwozonB/xKzqWZ4w1EDB4czAlbhqVR
zxtbWXFKJmZ1D72wgyTLeXtstJJnnh6DG9eHxGRf04+jVRGtMk7kOgZ8FE+WrsZQ
VoAh8nAUI3kaZ9DfNPNuZ7Y7oT0venUWu5tCjnnO1hEMtFeSIfnP4h/BcV95wt+B
I7jYco0pxCkBvWrwEXGkgHxMr+LMDav6nxo2ES5ToJUUGUAH6J8yPF7XYzppJ92k
pFXueVMEIDgKZzRcuUyaaaDeZj8XQvGUN9I4s2x0CbRdQpOD+wdp0t10xoDXXeVw
1Sngs/yLptZqG5FY0g7Vt8Tnc21VrVShi2/dkacybjMCfHostQCzyLUfKR+4rQI1
oXvajO5lHpgnETLLdfo8Udjy90uWas09Hh940TKtA1dX6h8FVFyvplwm41HyMxnS
oHZNxdw01qc/OmpoGYuP
=Ob6t
-----END PGP SIGNATURE-----