search for: cap_setgid

Displaying 19 results from an estimated 19 matches for "cap_setgid".

2020 Sep 22
1
starting stoping samba 4.11
...$MAINPID > PermissionsStartOnly=true > Restart=always > RestartSec=1 > Nice=19 > > PrivateTmp=yes > PrivateDevices=yes > ProtectKernelTunables=yes > ProtectKernelModules=yes > ProtectControlGroups=yes > MemoryDenyWriteExecute=yes > CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE > CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT > > SystemCallFilter=@system-service @network-io @privileged @resources > SystemCallFilter=~@debug @module @mount @reboot >
2020 Sep 21
4
starting stoping samba 4.11
Hello I am using samba Version 4.11.2 compiled. To start the daemon I using /samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf To stop correctly, what is recommended ? Actually I using kill -9 ... Regards.
2018 Apr 05
0
Re: Can’t authenticate any users after upgrade.
...eadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open files' you may set: #LimitNOFILE=8192 # If you want to allow the Dovecot services to produce core dumps, us...
2016 Feb 23
0
Change machine name without a reboot?
...______________________________ [root at srv-rhsoft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib ReadWriteDirectories=/var/lib/samba ReadWriteDirectories=/usr/local -------------- next part -------------- A non-text attachment wa...
2020 Sep 21
0
starting stoping samba 4.11
...oreground --no-process-group ExecReload=/usr/bin/kill -HUP $MAINPID PermissionsStartOnly=true Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=@system-service @network-io @privileged @resources SystemCallFilter=~@debug @module @mount @reboot
2016 Feb 23
2
Change machine name without a reboot?
> From: Reindl Harald > > besides that you did not provide the info "embedded system" - > when you > have systemd you also have "systemctl restart > whatever.service" and in > PHP it would be passthru('command') > > you don't know how you restart a service via CLI - seriously? I know how to do it through systemctl, but I was
2019 Aug 05
2
multiuser sshd as non-root
...I've got a security requirement to run it as an ordinary user, let's say test-x, instead of root. It works well if I try to log in as test-x user with public key auth. Unfortunately I need sshd to serve other users as well. In order to let sshd switch uids I've set the CAP_SETUID and CAP_SETGID capabilities on the sshd binary. But it didn't work out, when I try to log in as another user, say test-y, sshd says: Failed to set uids to 1009. Disabling privsep didn't help. From strace I didn't even see any attempt to setuid() to test-y, so I think (but haven't verified) tha...
2015 Jan 10
3
Dovecot on Fedora 20 or 21
Hello, Is anyone running Dovecot on either a Fedora 20 or 21 system? I'm having an issue, on a system reboot, which I admit does not happen often, Dovecot fails to start in the systemctl list, output is status failed. The issue seems to be Dovecot can not bind to the ipv6 address. Now later if I manually log in to the box and start dovecot it works just fine no problems. I've googled and
2018 Apr 05
3
Re: Can’t authenticate any users after upgrade.
On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: > On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
...of(x[0])) + +#define MAKE_CAP(cap) [cap] = { .cap_name = #cap } + +struct capability { + const char *cap_name; +} capabilities[] = { + MAKE_CAP(CAP_CHOWN), + MAKE_CAP(CAP_DAC_OVERRIDE), + MAKE_CAP(CAP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADMIN), + MAKE_CAP(CAP_NET_RAW), + MAKE_CAP(CAP_IPC_LOCK), + MAKE_CAP(CAP_IPC_OWNER), + MAKE_CAP(CAP_SYS_MODULE), + MAKE_CAP(CAP_SY...
2016 Jul 09
4
Option configure
Hello, Am 09.07.2016 um 09:14 schrieb Rowland penny: >> What is the purpose of the option >> * >> **--with-**systemd** >> ****Enable****systemd****integration* >> >> To configure Samba (build). >> > > It is there so that there is also the '--without-systemd' option. > > one turns on systemd integration, the other (thank your deity)
2018 Apr 05
4
Can’t authenticate any users after upgrade.
I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634):
2016 Jul 09
4
Option configure
...t srv-rhsoft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_l...
2017 Feb 15
5
[cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop
2011 Jul 19
4
[PATCH v1 0/2] Support dropping of capabilities from early userspace.
This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by
2017 Feb 15
5
[cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert
2020 Oct 17
10
[RFC] treewide: cleanup unreachable breaks
...able(const struct cred *cred, * set*uid() (e.g. setting up userns uid mappings). */ pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", __kuid_val(cred->uid)); return -EPERM; - break; case CAP_SETGID: /* * If no policy applies to this task, allow the use of CAP_SETGID for * other purposes. */ @@ -138,15 +137,13 @@ static int safesetid_security_capable(const struct cred *cred, * set*gid() (e.g. setting up userns gid mappings). */ pr_warn("Operation requires CAP_SETGID...
2020 Oct 17
10
[RFC] treewide: cleanup unreachable breaks
...able(const struct cred *cred, * set*uid() (e.g. setting up userns uid mappings). */ pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", __kuid_val(cred->uid)); return -EPERM; - break; case CAP_SETGID: /* * If no policy applies to this task, allow the use of CAP_SETGID for * other purposes. */ @@ -138,15 +137,13 @@ static int safesetid_security_capable(const struct cred *cred, * set*gid() (e.g. setting up userns gid mappings). */ pr_warn("Operation requires CAP_SETGID...
2018 Jan 22
1
Samba 4.7 don't start on F27
...e=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_l...