22016 2003-05-31 15:29 0000 lcap removes all capabilities 2003-06-12 06:23:11 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified x86 Linux RESOLVED FIXED P2 normal --- 1 marka@desert.cx phosphan@gentoo.org marka@desert.cx 2003-05-31 15:29:47 0000 Using lcap to remove a single capability removes them all. Reproducible: Always Steps to Reproduce: 1. lcap CAP_NET_RAW 2. lcap Actual Results: lcap shows all capabilities removed Expected Results: lcap should have only removed the CAP_NET_RAW capability Portage 2.0.48 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.20-m2 i686 AMD Athlon(tm) XP 2000+ GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://www.ibiblio.org/gentoo/" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/work" PORTDIR_OVERLAY="/usr/local/portage" USE="x86 oss 3dnow apm avi crypt cups encode gif jpeg kde gnome libg++ mikmod mmx mpeg ncurses nls pdflib png spell truetype xml2 xmms xv zlib alsa gdbm berkdb slang readline arts tetex aalib tcltk java guile postgres X sdl gpm tcpd pam libwww ssl perl python imlib oggvorbis gtk qt motif opengl cdr mbox -svga -esd -quicktime" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon -O3 -pipe" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache" phosphan@gentoo.org 2003-06-11 02:16:17 0000 Strange things happening... If I just lcap -vv CAP_SYS_MODULE, all capabilities are blanked. If I try lcap -vv CAP_SYS_TIME, I can safely remove CAP_SYS_MODULE afterwards, but trying CAP_NET_RAW then blanks everything again. Seems it has strange problems with certain bit combinations. Investigating... phosphan@gentoo.org 2003-06-11 03:19:50 0000 Looks like sometimes it can't read back the data it writes to the kernel via /proc - still no idea who gets it wrong, the kernel or lcap. Stay tuned. phosphan@gentoo.org 2003-06-11 06:24:30 0000 Got it. The kernel (at least 2.4.20) uses the function proc_dointvec_bset from kernel/sysctl.c for access to /proc/sys/kernel/cap-bound - this function forbids any access if CAP_SYS_MODULE is not available (please don't ask me why they made it this way). lcap is satisfied if it can open the file (which will work), then it reads from it (which fails, but isn't caught). It gets a zero and displays all capabilities as deleted though they aren't. Just removing CAP_NET_RAW does not show this effect (at least not on my system). Please try to verify this with the new -r1 revision which should be in portage soon. It should print an error message if it can't read the capabilities. marka@desert.cx 2003-06-12 06:04:53 0000 OK, thanks. I just won't remove CAP_SYS_MODULE. Removing other capabilities work as expected. phosphan@gentoo.org 2003-06-12 06:22:35 0000 Fine. Setting this to fixed. phosphan@gentoo.org 2003-06-12 06:23:11 0000 Fixed.