0

I have a binary foo, generated from C++ code, which has special capabilities set on it with:

sudo setcap cap_sys_rawio=ep ./foo

Now I want to build another version of this binary, and the output of the build (the new binary) goes into a file named bar. Evidently, bar will not have the same capabilities as foo. I would like to copy the content of bar over foo, so that foo represents the new binary, but without removing the capabilities.

This answer indicates that modifying the file does not affect the capabilities, but when I try with cp (which uses open(..., O_TRUNC) under the covers) the capabilities are removed.

BeeOnRope
  • 60,350
  • 16
  • 207
  • 386
  • [so] is for programming questions, not questions about using or configuring Unix and its utilities. [unix.se] or [su] would be better places for questions like this. – Barmar Jan 14 '20 at 17:45
  • Are you using any of the `cp` options that copy attributes, such as `-a` or `--preserve=xattr`? These will replace foo's capabilities with bar's. – Barmar Jan 14 '20 at 17:52
  • But they don't want to replace `foo`'s capabilities with `bar`; they want to preserve `foo`'s capabilities, and just replace the *content* of `foo` with the content of `bar`. – Richard Fearn Jan 14 '20 at 17:57
  • @Barmar - no, I am not using any special options. – BeeOnRope Jan 14 '20 at 18:09
  • @Barmar - you are mistaken about the scope of SO. It is not just about programming itself. It is also about "software tools commonly used by programmers". I think we can assume a question about Linux capabilities on a program that I wrote and built and needs these special capabilities is totally on-topic here, as are many build related questions. I agree though at it would _also_ be on topic on those other sites: question applicability is not mutually exclusive on the SE network. – BeeOnRope Jan 14 '20 at 18:11

1 Answers1

1

I don't think this is possible. The comment on the answer you linked to is incorrect; replacing the contents of foo will cause the capabilities to be removed from foo, as explained by this answer.

You can test this using the following trivial C program (save this as editfoo.c):

#include <fcntl.h>
#include <unistd.h>

int main(int argc, char** argv) {
    int fd = open("foo", O_WRONLY);
    write(fd, "bar", 3);
    return 0;
}

Then:

$ gcc editfoo.c -o editfoo

$ echo "foo" > foo

$ sudo setcap cap_sys_rawio=ep foo

$ cat foo
foo

$ getcap foo
foo = cap_sys_rawio+ep

$ ./editfoo

$ cat foo
bar

$ getcap foo
Richard Fearn
  • 25,073
  • 7
  • 56
  • 55
  • Thanks. I also did a similar test and came to the same conclusion. I guess it makes sense since if you could modify the binary it would seem to be a giant security whole, essentially giving the user full cap access since they could update the binary to do anything they needed done with full caps. – BeeOnRope Jan 14 '20 at 23:39