libcap, authbind

Vasko Miroslav vasko@ditec.sk
Fri, 6 Apr 2001 16:08:31 +0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ahoj,

mam up-to-date potato a libcap skompilovanu zo zdrojov v unstable

mam problemy prinutit program beziaci pod normalnym pouzivatelom, aby
bol schopny bindnut port 80.

program je bash-skript, ktory vola dalsi perlovy skript, ktory zavola
exac

1. authbind
- ------------

na volanie pouzivam:
notes@disco:/var/local/lotus$ authbind --deep
/usr/local/lotus/bin/server

odmietne bindnut port 80

vypis /etc/authbind:
/etc/authbind/:
celkom 12
drwxr-xr-x    2 root     root         4096 jan  3  1999 byaddr
drwxr-xr-x    2 root     root         4096 apr  6 12:25 byport
drwxr-xr-x    2 root     root         4096 jan  3  1999 byuid

/etc/authbind/byaddr:
celkom 0

/etc/authbind/byport:
celkom 0
- -rwx------    1 notes    notes           0 apr  6 12:25 110
- -rwx------    1 notes    notes           0 apr  6 12:25 119
- -rwx------    1 notes    notes           0 apr  6 12:25 143
- -rwx------    1 notes    notes           0 apr  6 12:25 25
- -rwx------    1 notes    notes           0 apr  6 12:25 389
- -rwx------    1 notes    notes           0 apr  6 12:25 443
- -rwx------    1 notes    notes           0 apr  6 12:25 465
- -rwx------    1 notes    notes           0 apr  6 12:25 563
- -rwx------    1 notes    notes           0 apr  6 12:25 636
- -rwx------    1 notes    notes           0 apr  6 12:25 80
- -rwx------    1 notes    notes           0 apr  6 12:25 993
- -rwx------    1 notes    notes           0 apr  6 12:25 995

/etc/authbind/byuid:
celkom 0

z dokumentacie vyplyva, ze do /etc/authbind/byport maju ist subory
nazvane ako cisla portov a musia byt spustitelne danym uzivatelom, pod
ktorym bezi proces, ktory si chce nabindovat dany port

nefunguje :(

2. execap a spol
- -----------------

notes@disco:/var/local/lotus$ /sbin/execcap "cap_net_bind_service=all"
/uar/local/lotus/bin/server

requested capabilities were not recognized
usage: execcap <caps> <command-path> [command-args...]

  This program is a wrapper that can be used to limit the Inheritable
  capabilities of a program to be executed.  Note, this wrapper is
  intended to assist in overcoming a lack of support for filesystem
  capability attributes and should be used to launch other files.
  This program should _NOT_ be made setuid-0.

[Copyright (c) 1998 Andrew G. Morgan <morgan@linux.kernel.org>]

to je blbe, pretoze tato "capability" je definovana v
/usr/src/linux/include/linux/capability.h,
aj v tom, co si libcap nesie so sebou. dokonca som to nasiel aj cez
strings v libcap.so
nepomoze, ak odstranim uvodzovky a "=all"

uz sa fakt citim ako blbec

pomoze niekto?
miro

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBOs2/0PQpPA/ctNXOEQKwDwCg4+1ouXGHnNDqsZsCPtxQDvKZ4rsAn19p
O1VhPz7YlA4K+C42H2z6vWMt
=kaef
-----END PGP SIGNATURE-----