Using linux capabilities in c

Question

I am trying to understand how capabilities work and I am using code from here:

https://gist.github.com/sbz/1090868

I created an array with all the permissions:

 cap_value_t cap_list_[] = {
        CAP_CHOWN,
        CAP_DAC_OVERRIDE,
        CAP_DAC_READ_SEARCH,
        CAP_FOWNER,
        CAP_FSETID,
        CAP_KILL,
        CAP_SETGID,
        CAP_SETUID,
        CAP_SETPCAP,
        CAP_LINUX_IMMUTABLE,
        CAP_NET_BIND_SERVICE,
        CAP_NET_BROADCAST,
        CAP_NET_ADMIN,
        CAP_NET_RAW,
        CAP_IPC_LOCK,
        CAP_IPC_OWNER,
        CAP_SYS_MODULE,
        CAP_SYS_RAWIO,
        CAP_SYS_CHROOT,
        CAP_SYS_PTRACE,
        CAP_SYS_PACCT,
        CAP_SYS_ADMIN,
        CAP_SYS_BOOT,
        CAP_SYS_NICE,
        CAP_SYS_RESOURCE,
        CAP_SYS_TIME,
        CAP_SYS_TTY_CONFIG,
        CAP_MKNOD,
        CAP_LEASE,
        CAP_AUDIT_WRITE,
        CAP_AUDIT_CONTROL,
        CAP_SETFCAP,
        CAP_MAC_OVERRIDE,
        CAP_MAC_ADMIN
    };

I then try to disable everything:

 if (cap_set_flag(cap, CAP_PERMITTED, 34, cap_list_, CAP_CLEAR) == -1) {
        perror("cap_set_flag cap_mac_admin");
        cap_free(cap);
        exit(-1);
    }
    if (cap_set_flag(cap, CAP_EFFECTIVE, 34, cap_list_, CAP_CLEAR) == -1) {
        perror("cap_set_flag cap_mac_admin");
        cap_free(cap);
        exit(-1);
    }

I then try to do the following:

chown("/home/user/test/file", 500, 500);

This works. This changes the owner of the file. This is just for testing purposes but I thought with all the permissions revoked I would not be able to do this.

Answer 1

You need to call cap_set_proc with your local variable changes to apply them to your process/thread.