search for: cap_dac_overrid

...it's available -- in the future, I may remove the older libcap code as it's far more difficult to work with. Distros should consider making their cifs-utils packages depend on libcap-ng and building against that. - - the capability bounding set is zeroed out for greater security - - CAP_DAC_OVERRIDE is only enabled when updating the mtab webpage: http://linux-cifs.samba.org/cifs-utils/ tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git: git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed changelog: commit e4593787a6...

...l hard without these, even if using (for example) pre-created Ceph block storage, which is our use case? Or would it only fail when it tried to make use of a capability that wasn't present? My reading of capabilities is that behaviour is indistinguishable until you get an EPERM? I agree that CAP_DAC_OVERRIDE (per your later mail) is game over for any system, as that allows write of any config file. It'd be lovely to find a way of not requiring that. Knowing that a piece of software can't maliciously insert kernel modules, can't write or clear audit trails, and can't do raw I/O alread...

...n if using (for example) pre-created > Ceph block storage, which is our use case? Or would it only fail when it > tried to make use of a capability that wasn't present? My reading of > capabilities is that behaviour is indistinguishable until you get an EPERM? > > I agree that CAP_DAC_OVERRIDE (per your later mail) is game over for any CAP_DAC_OVERRIDE won't be required if you don't need libvirt to chown()/setfilecon() disk images (dynamic_ownership in qemu.conf). CAP_SYS_ADMIN is going to be required if you want libvirt to mount some nfs based storage pools/create namespaces...

...onsStartOnly=true > Restart=always > RestartSec=1 > Nice=19 > > PrivateTmp=yes > PrivateDevices=yes > ProtectKernelTunables=yes > ProtectKernelModules=yes > ProtectControlGroups=yes > MemoryDenyWriteExecute=yes > CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE > CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT > > SystemCallFilter=@system-service @network-io @privileged @resources > SystemCallFilter=~@debug @module @mount @reboot >

Hello I am using samba Version 4.11.2 compiled. To start the daemon I using /samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf To stop correctly, what is recommended ? Actually I using kill -9 ... Regards.

On Tue, 30 Apr 2019 at 10:40, Michal Privoznik <mprivozn@redhat.com> wrote: > Is there any problem running libvirtd as root? > > Yes, in the regulated environment in which I work! I have to do far more thorough threat analysis than I would do if I knew which capabilities it had. So far, we've accepted the extra work; but it would be wonderful to be able to run a locked-down

...code introduced a severe security flaw which was undetected until now. We are releasing new binaries and fixed source code as release numbers: 3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only fix included in these release numbers. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms where binaries were built without libcap support. Also note that 3.4.5 and...

...code introduced a severe security flaw which was undetected until now. We are releasing new binaries and fixed source code as release numbers: 3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only fix included in these release numbers. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms where binaries were built without libcap support. Also note that 3.4.5 and...

...pid ExecReload=/usr/bin/doveadm reload ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open files' you may set: #LimitNOFILE=8192 # If you want...

...________ [root at srv-rhsoft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib ReadWriteDirectories=/var/lib/samba ReadWriteDirectories=/usr/local -------------- next part -------------- A non-text attachment was scrubbed... Name: signatu...

...-group ExecReload=/usr/bin/kill -HUP $MAINPID PermissionsStartOnly=true Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=@system-service @network-io @privileged @resources SystemCallFilter=~@debug @module @mount @reboot

...Jeff Layton <jlayton at redhat.com> Date: Thu Apr 1 15:28:57 2010 -0400 mount.cifs: drop capabilities if libcap is available Might as well be as safe as possible. Have child drop all capabilities, and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might even eventually consider being clever and dropping CAP_DAC_OVERRIDE when root has access to the mtab. Signed-off-by: Jeff Layton <jlayton at redhat.com> commit 810f7e4e0f2dbcbee0294d9b371071cb08268200 Author: Jeff L...

> From: Reindl Harald > > besides that you did not provide the info "embedded system" - > when you > have systemd you also have "systemctl restart > whatever.service" and in > PHP it would be passthru('command') > > you don't know how you restart a service via CLI - seriously? I know how to do it through systemctl, but I was

Hello, Is anyone running Dovecot on either a Fedora 20 or 21 system? I'm having an issue, on a system reboot, which I admit does not happen often, Dovecot fails to start in the systemctl list, output is status failed. The issue seems to be Dovecot can not bind to the ipv6 address. Now later if I manually log in to the box and start dovecot it works just fine no problems. I've googled and

Here is what I got. root ubuntu:/home/john# virsh start ubuntu2 error: Failed to start domain ubuntu2 error: internal error Process exited while reading console log output: char device redirected to /dev/pts/1 bind(unix:/var/lib/libvirt/qemu/ubuntu2.libguestfs): Permission denied chardev: opening backend "socket" failed: Permission denied root ubuntu:/home/john# ll

On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: > On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull

F12, libvirt 0.7.1-15, qemu 0.11.0-12, 32 bit I recently discovered that libvirt is stealing ownership of my disk images. How can I make it stop? I have a disk image in my home directory, owned by matt. When I create a domain that uses the disk it gets chowned to qemu.qemu. When the domain terminates it is owned by root.root. I've lost access to the file. It has been suggested that the

...gt; +#include <string.h> +#include <unistd.h> + +#include "kinit.h" + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) + +#define MAKE_CAP(cap) [cap] = { .cap_name = #cap } + +struct capability { + const char *cap_name; +} capabilities[] = { + MAKE_CAP(CAP_CHOWN), + MAKE_CAP(CAP_DAC_OVERRIDE), + MAKE_CAP(CAP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADM...

Hello, Am 09.07.2016 um 09:14 schrieb Rowland penny: >> What is the purpose of the option >> * >> **--with-**systemd** >> ****Enable****systemd****integration* >> >> To configure Samba (build). >> > > It is there so that there is also the '--without-systemd' option. > > one turns on systemd integration, the other (thank your deity)

I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634):