My program is being run with cap_sys_admin,cap_setgid+i.
Of course, I understand that they are inheritable across execve, but beside that : does they behave the same way as if I don’t have them at all since they are neither effective nor permitted?
Asked
Active
Viewed 845 times
0
Cœur
- 37,241
- 25
- 195
- 267
user2284570
- 2,891
- 3
- 26
- 74
-
I recognize the question is simple but the only documentation I found about this is the inheritable set can be inherited through execve. I want to known whether there’s a pratical difference between having only in capabilities in the inheritable set and not having them at all. – user2284570 May 12 '17 at 01:57
-
"My program is being run with `cap_sys_admin,cap_setgid+i`" Do you mean you've set the inheritable permission on the file? – sqweek May 13 '17 at 06:34
-
@sqweek No, an initial program is started as root with libminijailpreload, then such program perform a call to execve to my program. Of course, what I wonder is if it is possible to use `cap_sys_admin` without file capabilities as no writable partition is mounted without noexec *(the rootfs is on a crypto signed read only firmware)*. – user2284570 May 13 '17 at 10:36
-
@sqweek for your first sentence, this is just what the `getpcaps` command print on the screen of my process so everything is about process and not files *(also worth to mention I have no filesystems which supports xattrs)*. – user2284570 May 13 '17 at 11:51
2 Answers
2
OK so your process is running with some Inheritable capabilities. What does that mean for your process? Pretty much nothing. You can't call setcap() to make any of those capabilities Effective, since they're not in your Permitted set, and with no way to get them in your Effective set your process cannot use the capabilities itself.
However their presence in your Inheritable set may have consequences for other processes you launch. eg. if you were to exec() a binary whose file had cap_setgid in both its Effective and Inheritable set, that child process would start with cap_setgid in its Effective set.
If cap_setgid was not in your process's Inheritable set in the above example, then the fact that the file has cap_setgid+ie becomes irrevelant, and the child process will not have the stated capability.
sqweek
- 1,129
- 9
- 12
-
So do ineheritable capabilities make sense only with xattr based capabilities ? – user2284570 May 13 '17 at 12:31
-
That the file's capabilities are stored as xattrs is perhaps an implementation detail, but yes the only way for an Inheritable capability to be promoted into the Permitted or Effective set is if the file is also marked with that capability. – sqweek May 13 '17 at 12:45
-
ok sorry for insisting, so having a file which has capabilties inside it’s xattrs is the only way to use use inheritable capabilities ? – user2284570 May 13 '17 at 12:50
-
1Yep. Those caps aren't going anywhere until they meet a file which also has them in its inheritable set (which is more or less what hdante's answer says). – sqweek May 13 '17 at 13:03
1
Yes, inherited keeps sleeping until you set the effective capabilities. As described in the manual, inherited means: "when execve, copy inherited to child inherited and permitted":
This is a set of capabilities preserved across an execve(2). Inheritable capa‐
bilities remain inheritable when executing any program, and inheritable capa‐
bilities are added to the permitted set when executing a program that has the
corresponding bits set in the file inheritable set.
hdante
- 7,685
- 3
- 31
- 36
-
Pasted text is from wrong section, but correct section has the analogous idea – hdante May 12 '17 at 01:54
-
Yes, I read the manpage, but I don’t undersant `has the corresponding bits set in the file inheritable set.` in the last sentence. – user2284570 May 12 '17 at 01:54
-
My question if whether there’s a pratical difference between having only in capabilities in the inheritable set and not having them at all ? If yes how they can be used. – user2284570 May 12 '17 at 01:56