similar to: [Bug 2600] New: Use Linux capabilities to revoke additional permissions from chrooted users

https://bugzilla.mindrot.org/show_bug.cgi?id=2556 Bug ID: 2556 Summary: on Linux non-root process can chroot Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

Hello, When I try to revoke certificates from my puppet installation, I get the following error : /etc/puppet/ssl# puppetca --revoke all all notice: Revoked certificate with serial # Inventory of signed certificates err: Could not call revoke: Cannot convert into OpenSSL::BN And nothing gets deleted. I didn''t find any information about this error, and couldn''t correct it.

Hello, Top posting. Several people have asked about the code to replicate my results. I have cleaned up the code to remove an x/y coordinate bias for displaying the results directly on a 640 x 480 VGA adapter. You can find the code here: http://people.redhat.com/sgrubb/files/vseq.c To collect R samples: X <- runif(10000, min = 0, max = 65535) write.table(X, file =

Greetings all, I have hit a kernel BUG in revoke.c in kernel 2.4.7-ac7 twice today while attempting to perform the same operation (patching stock 2.4.8 kernel src with "patch -p1 < patch-2.4.8-ac4"). Syslog entries follow. Please email me if you want/need my kernel config or any other information. Thanks, jtp

The bug I reported earlier seems to have been a hoax of sorts. =] The share(s) I tried it on had full access passwords, but no read-only passwords. Sorry about this. --- Mark Deneen deneen@bucknell.edu ICQ: 333068 http://www.students.bucknell.edu/deneen Different all twisty a of in maze are you, passages little.

Hi all, Recently, I read codes about the shadow page table. I''m wondering whether the kernel has provided the function to revoke write access of all the shadows of one domain. If you know one with this function, please tell me about it. Thanks. BTW, I have my own idea to implement this. My idea is as follows: void sh_revoke_write_access_all(struct domain *d) {

Hello All My samba-4.x server has lot of registry shares added. There are windows clients connected to it and I wanted to remove the access to one of the hosts. I did net conf setparm to set the updated list of IPs in "hosts allow" param and then reloaded samba config with killall -1 smbd . I see that the host which is not part of the hosts allow but already have a open window in

[Mod: The to address has been changed. The original message has been CC'ed to linux-security. This is mostly FYI only -- alex] Winfried, Good question. Since Linux-2.2.* has hit the streets, I'm guessing there may be wider interest in this sort of thing so I'm CC'ing my reply to linux-security. The capability stuff in the kernel provides a way to strip away all of the privilege

Not sure what should happen theoretically for the code in vseq.c, but I see the same pattern with the R generators I tried (default, Super-Duper, and L'Ecuyer) and with with bash $RANDOM using N <- 10000 X1 <- replicate(N, as.integer(system("bash -c 'echo $RANDOM'", intern = TRUE))) X2 <- replicate(N, as.integer(system("bash -c 'echo $RANDOM'",

Hi, A week ago I submitted an early patch, please ignore it. The patch attached to this email has been tested and seems to work for me. I have also attached instead of inline to solve problems with spaces/tabs. The patch will, on systems that have libcap support, drop capabilities that Dovecot doesn't need. For example there is no need for CAP_SYS_MODULE, which enables module

Did install from source of libguestfs-1.20.1 on Ubuntu-12.10. And libguestfs-test-tool complains about not finding libcap.so.2 uptime: 2.26 1.00 guestfsd: error while loading shared libraries: libcap.so.2: cannot open shared object file: No such file or directory [ 2.277795] Unregister pv shared memory for cpu 0 [ 2.278324] kvm: exiting hardware virtualization [ 2.278763] sd 2:0:1:0:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This release is primarily to fix a few bugs that were introduced with the mount.cifs overhaul in the last release. Most of the problems were issues with the handling of capabilities that prevented credential files from being accessed when mount.cifs was run by root. There are a few other changes: - - credential files accept parameter names

I setup a ssh chroot jail following this[1] guide. It works for my user to login, use ls and use scp which is all I really want. I do have a problem I cannot solve: when connected and navigating the filesystem, the backspace key actually moves the cursor forward and does not delete what I type. I may have found a hint from some googling that readline will read in /etc/inputrc on login but if

https://bugzilla.mindrot.org/show_bug.cgi?id=2625 Bug ID: 2625 Summary: Support Capabilities for ssh client port forwarding Product: Portable OpenSSH Version: 7.3p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs

Hello, On Thursday, September 20, 2018 11:15:04 AM EDT Duncan Murdoch wrote: > On 20/09/2018 6:59 AM, Ralf Stubner wrote: > > On 9/20/18 1:43 AM, Carl Boettiger wrote: > >> For a well-tested C algorithm, based on my reading of Lemire, the > >> unbiased "algorithm 3" in https://arxiv.org/abs/1805.10941 is part > >> already of the C standard library in

Have you tried setting linux capabilities, like NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the permissions of paths? I had to relocate the run dir with things like these && mkdir /var/dovecot \ && mkdir /var/lib/dovecot \ && (umask 027 ; mkdir /var/dovecot/login) \ && (umask 022 ; mkdir /var/dovecot/empty) \ && (umask

The ELF NEEDED are used to determine guestfsd's library dependencies with help from the dynamic linker and the package manager. This was prompted by Debian bug #972241 which was caused by a libtirpc package renaming in Debian/unstable because the SONAME had been changed. --- appliance/Makefile.am | 26 ++++++++++++++++- appliance/packagelist.in | 62

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It turns out that the 4.8 release had some mis-generated autoconf files. In particular, the aclocal files for libcap-ng were not properly included. This would lead to mount.cifs not being built with support for dropping capabilities via libcap-ng. This minor release fixes that and only that. People who install mount.cifs as a setuid root program

Inline below is a simple patch that drops the root capabilities that aren't needed (inspired by a similar patch against the mpm_itk project!). Possibly it is a little too restrictive, extras can be added to suidcaps, but on platforms that support capabilities this will prevent things such as kernel module loading. Needed on linux is libcap, available in most distros. Note that this

[root@fr1 tmp]# cd /tmp [root@fr1 tmp]# cpio -id < /usr/lib64/guestfs/supermin.d/daemon.img cpio: sbin/guestfsd not created: newer or same age version exists cpio: etc/guestfsd.suppressions not created: newer or same age version exists 3629 blocks [root@fr1 tmp]# ldd /tmp/sbin/guestfsd linux-vdso.so.1 => (0x00007fff9e9d4000) libacl.so.1 => /lib64/libacl.so.1