22016 – lcap removes all capabilities

Bug 22016 - lcap removes all capabilities

Summary: lcap removes all capabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High normal
Assignee:	Patrick Kursawe (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-05-31 15:29 UTC by Mark Aikens
Modified:	2003-06-12 06:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Aikens 2003-05-31 15:29:47 UTC

Using lcap to remove a single capability removes them all. 

Reproducible: Always
Steps to Reproduce:
1. lcap CAP_NET_RAW 
2. lcap 
Actual Results:  
lcap shows all capabilities removed 

Expected Results:  
lcap should have only removed the CAP_NET_RAW capability 

Portage 2.0.48 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) 
================================================================= 
System uname: 2.4.20-m2 i686 AMD Athlon(tm) XP 2000+ 
GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://www.ibiblio.org/gentoo/" 
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config 
/usr/kde/3/share/config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config 
/usr/share/config" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" 
PORTDIR="/usr/portage" 
DISTDIR="/usr/portage/distfiles" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/work" 
PORTDIR_OVERLAY="/usr/local/portage" 
USE="x86 oss 3dnow apm avi crypt cups encode gif jpeg kde gnome libg++ mikmod 
mmx mpeg ncurses nls pdflib png spell truetype xml2 xmms xv zlib alsa gdbm berkdb 
slang readline arts tetex aalib tcltk java guile postgres X sdl gpm tcpd pam libwww ssl 
perl python imlib oggvorbis gtk qt motif opengl cdr mbox -svga -esd -quicktime" 
COMPILER="gcc3" 
CHOST="i686-pc-linux-gnu" 
CFLAGS="-march=athlon -O3 -pipe" 
CXXFLAGS="-O2 -mcpu=i686 -pipe" 
ACCEPT_KEYWORDS="x86" 
MAKEOPTS="-j2" 
AUTOCLEAN="yes" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
FEATURES="sandbox ccache"

Comment 1 Patrick Kursawe (RETIRED) gentoo-dev

2003-06-11 02:16:17 UTC

Strange things happening...

If I just lcap -vv CAP_SYS_MODULE, all capabilities are blanked.
If I try lcap -vv CAP_SYS_TIME, I can safely remove CAP_SYS_MODULE afterwards, but
trying CAP_NET_RAW then blanks everything again. Seems it has strange problems with certain bit combinations. Investigating...

Comment 2 Patrick Kursawe (RETIRED) gentoo-dev

2003-06-11 03:19:50 UTC

Looks like sometimes it can't read back the data it writes to the kernel via /proc - still no idea who gets it wrong, the kernel or lcap. Stay tuned.

Comment 3 Patrick Kursawe (RETIRED) gentoo-dev

2003-06-11 06:24:30 UTC

Got it.
The kernel (at least 2.4.20) uses the function proc_dointvec_bset from kernel/sysctl.c for access to /proc/sys/kernel/cap-bound - this function forbids any access if CAP_SYS_MODULE is not available (please don't ask me why they made it this way).
lcap is satisfied if it can open the file (which will work), then it reads from it (which fails, but isn't caught). It gets a zero and displays all capabilities as deleted though they aren't.
Just removing CAP_NET_RAW does not show this effect (at least not on my system). Please try to verify this with the new -r1 revision which should be in portage soon. It should print an error message if it can't read the capabilities.

Comment 4 Mark Aikens 2003-06-12 06:04:53 UTC

OK, thanks. I just won't remove CAP_SYS_MODULE. Removing other capabilities work as expected.

Comment 5 Patrick Kursawe (RETIRED) gentoo-dev

2003-06-12 06:22:35 UTC

Fine. Setting this to fixed.

Comment 6 Patrick Kursawe (RETIRED) gentoo-dev

2003-06-12 06:23:11 UTC

Fixed.