First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 22016
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Patrick Kursawe <phosphan@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Mark Aikens <marka@desert.cx>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 22016 depends on: Show dependency tree
Show dependency graph
Bug 22016 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-05-31 15:29 0000 
Using lcap to remove a single capability removes them all. 

Reproducible: Always
Steps to Reproduce:
1. lcap CAP_NET_RAW 
2. lcap 
Actual Results:  
lcap shows all capabilities removed 

Expected Results:  
lcap should have only removed the CAP_NET_RAW capability 

Portage 2.0.48 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) 
================================================================= 
System uname: 2.4.20-m2 i686 AMD Athlon(tm) XP 2000+ 
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://www.ibiblio.org/gentoo/" 
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config 
/usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config 
/usr/share/config" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" 
PORTDIR="/usr/portage" 
DISTDIR="/usr/portage/distfiles" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/work" 
PORTDIR_OVERLAY="/usr/local/portage" 
USE="x86 oss 3dnow apm avi crypt cups encode gif jpeg kde gnome libg++ mikmod 
mmx mpeg ncurses nls pdflib png spell truetype xml2 xmms xv zlib alsa gdbm berkdb 
slang readline arts tetex aalib tcltk java guile postgres X sdl gpm tcpd pam libwww ssl 
perl python imlib oggvorbis gtk qt motif opengl cdr mbox -svga -esd -quicktime" 
COMPILER="gcc3" 
CHOST="i686-pc-linux-gnu" 
CFLAGS="-march=athlon -O3 -pipe" 
CXXFLAGS="-O2 -mcpu=i686 -pipe" 
ACCEPT_KEYWORDS="x86" 
MAKEOPTS="-j2" 
AUTOCLEAN="yes" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
FEATURES="sandbox ccache"

------- Comment #1 From Patrick Kursawe 2003-06-11 02:16:17 0000 ------- 
Strange things happening...

If I just lcap -vv CAP_SYS_MODULE, all capabilities are blanked.
If I try lcap -vv CAP_SYS_TIME, I can safely remove CAP_SYS_MODULE afterwards, but
trying CAP_NET_RAW then blanks everything again. Seems it has strange problems with certain bit combinations. Investigating...

------- Comment #2 From Patrick Kursawe 2003-06-11 03:19:50 0000 ------- 
Looks like sometimes it can't read back the data it writes to the kernel via
/proc - still no idea who gets it wrong, the kernel or lcap. Stay tuned.

------- Comment #3 From Patrick Kursawe 2003-06-11 06:24:30 0000 ------- 
Got it.
The kernel (at least 2.4.20) uses the function proc_dointvec_bset from kernel/sysctl.c for access to /proc/sys/kernel/cap-bound - this function forbids any access if CAP_SYS_MODULE is not available (please don't ask me why they made it this way).
lcap is satisfied if it can open the file (which will work), then it reads from it (which fails, but isn't caught). It gets a zero and displays all capabilities as deleted though they aren't.
Just removing CAP_NET_RAW does not show this effect (at least not on my system). Please try to verify this with the new -r1 revision which should be in portage soon. It should print an error message if it can't read the capabilities.

------- Comment #4 From Mark Aikens 2003-06-12 06:04:53 0000 ------- 
OK, thanks. I just won't remove CAP_SYS_MODULE. Removing other capabilities
work as expected.

------- Comment #5 From Patrick Kursawe 2003-06-12 06:22:35 0000 ------- 
Fine. Setting this to fixed.

------- Comment #6 From Patrick Kursawe 2003-06-12 06:23:11 0000 ------- 
Fixed.
First Last Prev Next    No search results available      Search page      Enter new bug