Displaying 20 results from an estimated 27 matches for "cap_dac_override".
2010 Apr 09
0
ANNOUNCE: cifs-utils release 4.3 available for download
...it's available -- in the future, I may remove
the older libcap code as it's far more difficult to work with. Distros
should consider making their cifs-utils packages depend on libcap-ng
and building against that.
- - the capability bounding set is zeroed out for greater security
- - CAP_DAC_OVERRIDE is only enabled when updating the mtab
webpage: http://linux-cifs.samba.org/cifs-utils/
tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git: git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary
Detailed changelog:
commit e4593787a64...
2019 Apr 30
2
Re: libvirtd via unix socket using system uri
...l hard without these, even if using (for example) pre-created
Ceph block storage, which is our use case? Or would it only fail when it
tried to make use of a capability that wasn't present? My reading of
capabilities is that behaviour is indistinguishable until you get an EPERM?
I agree that CAP_DAC_OVERRIDE (per your later mail) is game over for any
system, as that allows write of any config file. It'd be lovely to find a
way of not requiring that. Knowing that a piece of software can't
maliciously insert kernel modules, can't write or clear audit trails, and
can't do raw I/O already...
2019 Apr 30
0
Re: libvirtd via unix socket using system uri
...n if using (for example) pre-created
> Ceph block storage, which is our use case? Or would it only fail when it
> tried to make use of a capability that wasn't present? My reading of
> capabilities is that behaviour is indistinguishable until you get an EPERM?
>
> I agree that CAP_DAC_OVERRIDE (per your later mail) is game over for any
CAP_DAC_OVERRIDE won't be required if you don't need libvirt to
chown()/setfilecon() disk images (dynamic_ownership in qemu.conf).
CAP_SYS_ADMIN is going to be required if you want libvirt to mount some
nfs based storage pools/create namespaces...
2020 Sep 22
1
starting stoping samba 4.11
...onsStartOnly=true
> Restart=always
> RestartSec=1
> Nice=19
>
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectControlGroups=yes
> MemoryDenyWriteExecute=yes
> CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
> CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT
>
> SystemCallFilter=@system-service @network-io @privileged @resources
> SystemCallFilter=~@debug @module @mount @reboot
>
2020 Sep 21
4
starting stoping samba 4.11
Hello I am using samba Version 4.11.2 compiled.
To start the daemon I using
/samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf
To stop correctly, what is recommended ?
Actually I using kill -9 ...
Regards.
2019 Apr 30
3
Re: libvirtd via unix socket using system uri
On Tue, 30 Apr 2019 at 10:40, Michal Privoznik <mprivozn@redhat.com> wrote:
> Is there any problem running libvirtd as root?
>
> Yes, in the regulated environment in which I work! I have to do far more
thorough threat analysis than I would do if I knew which capabilities it
had. So far, we've accepted the extra work; but it would be wonderful to
be able to run a locked-down
2010 Mar 08
3
Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11
...code introduced a severe security flaw which was undetected until
now.
We are releasing new binaries and fixed source code as release numbers:
3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only
fix included in these release numbers.
The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.
Please note this security problem does not affect any platform that does
not support capabilities and platforms where binaries were built without
libcap support.
Also note that 3.4.5 and p...
2010 Mar 08
3
Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11
...code introduced a severe security flaw which was undetected until
now.
We are releasing new binaries and fixed source code as release numbers:
3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only
fix included in these release numbers.
The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.
Please note this security problem does not affect any platform that does
not support capabilities and platforms where binaries were built without
libcap support.
Also note that 3.4.5 and p...
2018 Apr 05
0
Re: Can’t authenticate any users after upgrade.
...pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
PrivateTmp=true
NonBlocking=yes
# this will make /usr /boot /etc read only for dovecot
ProtectSystem=full
PrivateDevices=true
# disable this if you want to use apparmor plugin
#NoNewPrivileges=true
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE
# You can add environment variables with e.g.:
#Environment='CORE_OUTOFMEM=1'
# If you have trouble with `Too many open files' you may set:
#LimitNOFILE=8192
# If you want t...
2016 Feb 23
0
Change machine name without a reboot?
...________
[root at srv-rhsoft:~]$ cat /etc/systemd/system/smb.service
[Unit]
Description=Samba SMB Daemon
[Service]
Type=forking
LimitNOFILE=32768
ExecStart=/usr/sbin/smbd -D
Restart=always
RestartSec=1
Nice=19
PrivateTmp=yes
PrivateDevices=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/samba
ReadWriteDirectories=/usr/local
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signatur...
2020 Sep 21
0
starting stoping samba 4.11
...-group
ExecReload=/usr/bin/kill -HUP $MAINPID
PermissionsStartOnly=true
Restart=always
RestartSec=1
Nice=19
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
MemoryDenyWriteExecute=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE
CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT
SystemCallFilter=@system-service @network-io @privileged @resources
SystemCallFilter=~@debug @module @mount @reboot
2010 Apr 02
0
ANNOUNCE: cifs-utils release 4.2 available for download
...Jeff Layton <jlayton at redhat.com>
Date: Thu Apr 1 15:28:57 2010 -0400
mount.cifs: drop capabilities if libcap is available
Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 810f7e4e0f2dbcbee0294d9b371071cb08268200
Author: Jeff La...
2016 Feb 23
2
Change machine name without a reboot?
> From: Reindl Harald
>
> besides that you did not provide the info "embedded system" -
> when you
> have systemd you also have "systemctl restart
> whatever.service" and in
> PHP it would be passthru('command')
>
> you don't know how you restart a service via CLI - seriously?
I know how to do it through systemctl, but I was
2015 Jan 10
3
Dovecot on Fedora 20 or 21
Hello,
Is anyone running Dovecot on either a Fedora 20 or 21 system? I'm
having an issue, on a system reboot, which I admit does not happen
often, Dovecot fails to start in the systemctl list, output is status
failed. The issue seems to be Dovecot can not bind to the ipv6
address. Now later if I manually log in to the box and start dovecot
it works just fine no problems. I've googled and
2014 Jul 07
1
virsh: cannot start domain with channel device,
Here is what I got.
root ubuntu:/home/john# virsh start ubuntu2
error: Failed to start domain ubuntu2
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/1
bind(unix:/var/lib/libvirt/qemu/ubuntu2.libguestfs): Permission denied
chardev: opening backend "socket" failed: Permission denied
root ubuntu:/home/john# ll
2018 Apr 05
3
Re: Can’t authenticate any users after upgrade.
On 2018-04-05 06:33, Helmut K. C. Tessarek wrote:
> On 2018-04-04 23:10, Kevin Cummings wrote:
>> PAM audit_log_acct_message() failed: Operation not permitted
>> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs):
>> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS,
>> session=<sessionid>
>
> Please look at my pull
2010 Jan 25
1
Stealing ownership: chown user->qemu->root
F12, libvirt 0.7.1-15, qemu 0.11.0-12, 32 bit
I recently discovered that libvirt is stealing ownership of my disk images. How can I make it stop?
I have a disk image in my home directory, owned by matt. When I create a domain that uses the disk it gets chowned to qemu.qemu. When the domain terminates it is owned by root.root. I've lost access to the file.
It has been suggested that the
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
...gt;
+#include <string.h>
+#include <unistd.h>
+
+#include "kinit.h"
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0]))
+
+#define MAKE_CAP(cap) [cap] = { .cap_name = #cap }
+
+struct capability {
+ const char *cap_name;
+} capabilities[] = {
+ MAKE_CAP(CAP_CHOWN),
+ MAKE_CAP(CAP_DAC_OVERRIDE),
+ MAKE_CAP(CAP_DAC_READ_SEARCH),
+ MAKE_CAP(CAP_FOWNER),
+ MAKE_CAP(CAP_FSETID),
+ MAKE_CAP(CAP_KILL),
+ MAKE_CAP(CAP_SETGID),
+ MAKE_CAP(CAP_SETUID),
+ MAKE_CAP(CAP_SETPCAP),
+ MAKE_CAP(CAP_LINUX_IMMUTABLE),
+ MAKE_CAP(CAP_NET_BIND_SERVICE),
+ MAKE_CAP(CAP_NET_BROADCAST),
+ MAKE_CAP(CAP_NET_ADMI...
2016 Jul 09
4
Option configure
Hello,
Am 09.07.2016 um 09:14 schrieb Rowland penny:
>> What is the purpose of the option
>> *
>> **--with-**systemd**
>> ****Enable****systemd****integration*
>>
>> To configure Samba (build).
>>
>
> It is there so that there is also the '--without-systemd' option.
>
> one turns on systemd integration, the other (thank your deity)
2018 Apr 05
4
Can’t authenticate any users after upgrade.
I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email.
PAM audit_log_acct_message() failed: Operation not permitted
imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid>
# 2.3.1 (8e2f634):