search for: cap_dac_read_search

I was wondering if it might be possible for an rsync developer to look over the attached patch (tested on Linux 2.4.24 against the rsync-2.6.0 release), and offer suggestions on how I could improve it. Basically I want to use Linux finer grained capabilities to retain only CAP_SYS_CHROOT & CAP_DAC_READ_SEARCH when rsync drops root privs. That way I can take whole system backups as a (mostly) unprivileged user. Probably it should be some kind of config file option or something rather than a simple compile-time option. Also it would be nice to drop root much earlier if possible, but where? Any suggest...

...ks partially; however, if combined with rsync options which preserve the file owner and/or group, it is partially ineffective. This is because rsync calls chown(2) after setting attributes, and chown removes security attributes (as in capabilities(5)). Steps to Reproduce: $ touch foo $ sudo setcap cap_dac_read_search=pe foo $ getcap foo foo = cap_dac_read_search+ep $ sudo rsync -X foo foo.1 $ getcap foo.1 foo.1 = cap_dac_read_search+ep $ sudo rsync -aX foo foo.2 $ getcap foo.2 $ This report originates from https://bugzilla.redhat.com/show_bug.cgi?id=981797 -- Configure bugmail: https://bugzilla.samba.org/use...

...er check won't work correctly and we can end up with a SIGSEGV. Signed-off-by: Jeff Layton <jlayton at samba.org> commit b6d2d91df012f965f29ba26489aca009712a230c Author: Jeff Layton <jlayton at samba.org> Date: Tue Feb 8 15:33:09 2011 -0500 mount.cifs: reacquire CAP_DAC_READ_SEARCH before calling mount(2) It's possible that the user is trying to mount onto a directory to which he doesn't have execute perms. If that's the case then the mount will currently fail. Fix this by reenabling CAP_DAC_READ_SEARCH before calling mount(2). That will ensur...

...an explicit AC_SUBST(). Reported-by: Lars M?ller <lars at samba.org> Signed-off-by: Jeff Layton <jlayton at samba.org> commit 310ae910b548e232cc86b34896bd7010c3b1cad2 Author: Jeff Layton <jlayton at samba.org> Date: Mon Apr 12 06:55:24 2010 -0400 cifs: enable CAP_DAC_READ_SEARCH before chdir() and realpath() calls It's possible that root won't have privileges to chdir or evaluate the paths without that capability. Signed-off-by: Jeff Layton <jlayton at samba.org> - -- Jeff Layton <jlayton at samba.org> -----BEGIN PGP SIGNATURE---...

...+#include <unistd.h> + +#include "kinit.h" + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) + +#define MAKE_CAP(cap) [cap] = { .cap_name = #cap } + +struct capability { + const char *cap_name; +} capabilities[] = { + MAKE_CAP(CAP_CHOWN), + MAKE_CAP(CAP_DAC_OVERRIDE), + MAKE_CAP(CAP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADMIN), + MAKE_CAP(CAP_NET_RAW), + MA...

...erg at gmail.com> commit 2a78385bbf879c16c538b0c78ff4e939724fafd4 Author: Jeff Layton <jlayton at samba.org> Date: Mon Apr 5 11:23:37 2010 -0400 mount.cifs: restrict capabilities further Only the parent process will ever need CAP_DAC_OVERRIDE. The child can get by with CAP_DAC_READ_SEARCH. Signed-off-by: Jeff Layton <jlayton at samba.org> commit da77c1b3ae934e29025d05b50eebecdbf569bfa4 Author: Jeff Layton <jlayton at samba.org> Date: Mon Apr 5 11:23:32 2010 -0400 mount.cifs: properly prune the capabilities bounding set ...libcap-ng does this in...

...eys at physics.wisc.edu>     Signed-off-by: Jeff Layton <jlayton at samba.org> commit ec3874fdc669901f4a9e8a90a856f999cd627a3f Author: Jeff Layton <jlayton at samba.org> Date:   Thu Feb 16 09:55:45 2017 -0500     cifs.upcall: trim even more capabilities          We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and     only when we are going to probe the environ file.          Also, fix the non-libcap-ng trim_capabilities prototype.          Reviewed-by: Simo Sorce <simo at redhat.com>     Signed-off-by: Jeff Layton <jlayton at samba.org> commit 912cbe49114392bd7c375c4c...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by