Age | Commit message (Collapse) | Author | Files | Lines |
|
doc/mkmd.sh also has some dependencies on the format of the man
pages, so make that work again.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
It looks like the Linux-PAM folk have deprecated this macro. Compiler optimization
is hard to account for: apparently this explicit deletion is no longer
guaranteed to work. This function was marked deprecated in v1.5.3 of Linux-PAM.
I've replaced its use with memset(). I'm not convinced that that will be honored
either, but remain hopeful and prefer to leave the code explicit in its intent
without a deprecation warning messing up the build log. Should some compiler
optimize it away and it leads to an exploit of some sort, it can be revealed as
a compilation bug.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Address user report of confusing behavior by adding a check to setcap
for a "<space...>" capability not meaning "-r".
Another suggestion from
https://bugzilla.kernel.org/show_bug.cgi?id=217592
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This change introduces the setcap -f argument to allow setting
of nonsense capabilities on files. But the default is to fail
when attempting to set such invalid capabilities.
This commit addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=217592
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Other than the case of /dev/null, there is no situation in which pam_cap.so
should act on world writable config files.
There are legitimate local administration choices for the file being owned
by non-root users, and similarly writable by a group of trusted users. So,
we do not require any specific ownership for the file and do not check for
writable access based on owner of group membership.
Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH
(https://x41-dsec.de/) who performed a security audit of the libcap
source code in April of 2023. The audit was sponsored by the Open
Source Technology Improvement Fund (https://ostif.org/).
Audit ref: LCAP-CR-23-101
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The function pam_set_data() takes ownership of a memory pointer if
the call succeeds, but does not take that ownership if the function
fails. Previously, the failure caused no deferred capability setting and
a return code PAM_IGNORE. It continues to do that in this case, but no
longer leaks the allocated iab memory.
This bug was introduced with deferred IAB capability setting support in
libcap-2.58.
Credit for finding this bug in pam_cap.so goes to X41 D-Sec GmbH
(https://x41-dsec.de/) who performed a security audit of the libcap
source code in April of 2023. The audit was sponsored by the Open
Source Technology Improvement Fund (https://ostif.org/).
Audit ref: LCAP-CR-23-100
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Avoid something subtle with really long strings: 1073741823 should
be enough for anybody. This is an improved fix over something attempted
in libcap-2.55 to address some static analysis findings.
Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
are the only two calls where the library is potentially exposed to a
user controlled string input.
Credit for finding this bug in libcap goes to Richard Weinberger of
X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
of the libcap source code in April of 2023. The audit was sponsored
by the Open Source Technology Improvement Fund (https://ostif.org/).
Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This function returns a positive number (errno) on error, so the code
wasn't previously freeing some memory in this situation.
Discussion:
https://stackoverflow.com/a/3581020/14760867
Credit for finding this bug in libpsx goes to David Gstir of
X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
audit of the libcap source code in April of 2023. The audit
was sponsored by the Open Source Technology Improvement Fund
(https://ostif.org/).
Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
It looks like I broke the kdebug target build when I dropped fully
static building of capsh and friends. Discovered this, looking at
answering:
https://unix.stackexchange.com/questions/741532/launch-process-with-limited-capabilities-on-minimal-busybox-based-system
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Use type *id everywhere instead of using type * id and type* id
in some places. Also remove superflous spaces after commas, and closing
parentheses.
While doing this, I also fixed a C syntax mistake in an example in
cap_launch.3
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Also include the `go mod tidy` detail.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
There were a few straggler API functions in libcap and libpsx.
Also some functions that should be hidden from references outside
the library.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
These three files were left over, they should have been
removed in the last commit.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This code is investigating the issue:
https://bugzilla.kernel.org/show_bug.cgi?id=216610
This present commit extends x86_64 (aka amd64) support to 32-bit
arm build support. It is now possible cross compile the program
for the Raspberry Pi. To do this, the code needs 'docker' to work.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
When run via sudo, compare-cap exits with some file capabilities
left on its binary file. This is a test binary, so that's not a
big problem, however, it does mean that a 2nd run of the program
is started with, potentially, a different initial state.
This commit fixes that exit condition and addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=217018
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Increase the enforcement of the documented libcap API by marking
internal library utility functions as "hidden". This also goes
for the .so executable entry points.
This addresses this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=217014
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
While we test this in many other places, we didn't test this
explicitly in the psx.go local testing before. Now we do.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
If you have local files:
.../libcap/doc/local-md.preamble
.../libcap/doc/local-md.postscript
when you run .../libcap/doc/mkmd.sh these two files will be inlined
into the generated index.md file.
This addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=217007
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Explicitly add (void) as argument lists for two function definitions:
cap_reset_ambient(void)
_libcap_initialize(void)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I generated mirror on github to conveniently see the .md docs and
found a few typos.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
It took me a while to figure out why optimized C compilation seemed
to generate miscomputation of the Fibonacci number sequence. It appears
to be an unresolved issue with Go's internal linking which is discussed
here:
https://github.com/golang/go/issues/24321
For a compute kernel, it seems important to be able to accommodate
compiler optimization. This adds some refinement for the strategy
I'm exploring to address:
https://bugzilla.kernel.org/show_bug.cgi?id=216610
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This example was developed while investigating the issues discussed in:
https://bugzilla.kernel.org/show_bug.cgi?id=216610
At this time, it is not possible to build CGO_ENABLED=1 and include
the "psx" package without using its "cgo"-tagged build variant.
This example provides a worked example of doing the opposite: link a
CGO_ENABLED=0 binary with "psx", including some compiled C code.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Günther Noack reported some issues with automated dependency checking in
https://bugzilla.kernel.org/show_bug.cgi?id=216609
Perhaps these additional lines will help assist those things.
I did find a typo in pam_cap/execable.c so I've fixed that.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This started out as addressing this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=216585
But I then made crosslink.sh to figure out what I had missed, and
fixed those bits too.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
There is a longstanding WONT_FIX bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=12491
that has been causing capsh, when linked fully statically,
to segfault. So, for non-dynamic linking of capsh etc utilities
only link statically to libcap. This way, in tree builds can be
guaranteed to get to execute with in tree API changes. For
normal installations, DYNAMIC=yes works as before.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This exploit code requires a make variable to activate, but
is used in the companion article discussing this code to compare
and contrast setuid-root to file capable privilege. Tl;dr don't
use setuid-root for shared libraries in this way!
Follow along here:
https://sites.google.com/site/fullycapable/capable-shared-objects
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Details:
https://www.mit.edu/afs.new/sipb/project/debathena/lintian/www/tags/manpage-has-bad-whatis-entry.html
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
* GNU grep 3.8 considers `egrep` and `fgrep` obsolescent and throws warnings:
./mkcapshdoc.sh > capshdoc.c.cf
fgrep: warning: fgrep is obsolescent; using /bin/grep -F
fgrep: warning: fgrep is obsolescent; using /bin/grep -F
fgrep: warning: fgrep is obsolescent; using /bin/grep -F
fgrep: warning: fgrep is obsolescent; using /bin/grep -F
[...]
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This addresses this bug reported by Paulo Andrade (thanks!):
https://bugzilla.kernel.org/show_bug.cgi?id=216514
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
$ make
$ sudo go/captrace your-program
will attempt to explore what capabilities are needed to run
your program by observing when cap_capable() inside the kernel
is associated with your-program.
Other ways to invoke this are
$ sudo go/captrace --pid=<pid>
$ sudo go/captrace
The last of these traces everything running on a system.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Address some corner cases and trim down the size of the code a bit.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Also down size the default capabilities needed by the 'sucap' su program.
This is aimed at addressing:
https://bugzilla.kernel.org/show_bug.cgi?id=215926
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I'm not 100% sure this is needed, but I'm not yet convinced
'make distclean && make -j48 test' works reliably, but I find this
easier to reason about.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Missed a vendor dependency for the ok.go file. More recent go releases
seem more picky about module or vendoring being used, and for the in-tree
builds we consistently use vendoring. So make sure the vendoring
directory set up has completed before trying to build ok.go.
The failure was reported by Tomasz Kłoczko.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
These updates should also be available on keyservers.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The deadlock issue is fixed in go1.18.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This change adds support to capsh for the --noenv argument, which
will restore pre-libcap-2.65 behavior to capsh. The change we're
making here, however, is that capsh will now set the USER and HOME
environment variables when the command line contains --user=xxx.
The issue this addresses is described here:
https://bugzilla.kernel.org/show_bug.cgi?id=215926
This has been annoying me for long enough, and I want to clean up
the article:
https://sites.google.com/site/fullycapable/inheriting-privilege
to not pepper "--norc" in distracting places.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
- cap_get_pid() add detail about the function argument and return
value when used across namespaces. Thanks to nemonemo for reporting:
https://bugzilla.kernel.org/show_bug.cgi?id=215812
- cap_reset_ambient() had some factually incorrect content. Thanks to
Tinker One for reporting:
https://bugzilla.kernel.org/show_bug.cgi?id=215910
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Bug reported with fix from yixiangzhike.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Include more detail about command line expectations
and exit status values.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
go/captree was seeing lots of libcap_psx_test processes hanging around.
It turns out that the newly added _psx_cleanup() function was deadlocking
because inside a forked processes the psx_tracker.state was _PSX_INFORK
and never _PSX_IDLE.
This completes the fix for:
https://bugzilla.kernel.org/show_bug.cgi?id=215551
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
It looks like various distributions are fairly far behind HEAD for
their version of libcap. This way folk can work around a lack of
features in their code.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=215812
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Bug reported by Anderson Toshiyuki Sasaki:
https://bugzilla.kernel.org/show_bug.cgi?id=215772
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
It looks like go1.18 is going to default to CGO_ENABLED=0, so force
CGO_ENABLED=1 when building this cap-libcap comparison program.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=215603
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Kalen Hall reported that Valgrind detected a memory leak associated
with a multi-threaded program linked against libcap and libpsx.
https://bugzilla.kernel.org/show_bug.cgi?id=215551
I've been unable to validate this myself with valgrind (likely holding
it wrong), but did explore psx for allocated memory and via fprintf's
convinced myself that this change should pair all calloc()s with a
corresponding free().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I've upgraded one of my systems to Fedora 35 and I found trimming
the headers in this way made the three compilations of libcap, used
by `make distcheck`, work with standard Fedora 35 compiler packages.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The CGO_ENABLED=0 failure mode is discussed in:
https://github.com/golang/go/issues/50113
At the present time, this only passes when the psx package is compiled
CGO_ENABLED=1. The problem being that a blocking read cannot be
interrupted by the CGO_ENABLED=0 build of package "psx". It does not
deadlock when compiled CGO_ENABLED=1 because the psx signal wakes the
reading thread up back into user space.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Since libcap does some error testing with a pre-main() constructor,
reset errno to zero as that constructor returns.
Problem reported by Yang Xu.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
When a syscall that yields different return values is called from
the Go psx.Syscall*() API, we want to mirror the behavior of the
native golang runtime.AllThreadsSyscall() function.
The previous inconsistency was pointed out by Lorenz Bauer in:
https://bugzilla.kernel.org/show_bug.cgi?id=215283#c8
[I decided to defer this change until 2.63, and not include this
in the bug-fix for 215283, on the grounds it is a slight
incompatibility in runtime behavior, and wanted to give folk an
opportunity to plan for it. This new behavior enforcement will
crash an unprepared go program.]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This should complete the fix for:
https://bugzilla.kernel.org/show_bug.cgi?id=215283
Simplify the code, and add a test that the kernel has confirmed that
the thread is no longer running.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Lorenz Bauer found a race condition in the cap.Launcher teardown
process and reported it here:
https://bugzilla.kernel.org/show_bug.cgi?id=215283
This seems to significantly improve the situation. I'm going to
study the test case some more, but this is definitely part of the
solution.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
David Seifert at Gentoo made a request to not require perl for
the libcap build since their distribution wants to build it prior
to building perl and so requiring it requires they maintain some
extra patches.
We previously introduced the need for perl in response to some
apparent incompatibilities between various versions of sed:
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=9494a1fab59ac0b6e4f0bfc536fa482c6d6490b6
However, it has been 13 years since that time so we're optimistic
those problems are no longer present for anyone and we've also
added a make variable abstraction in case some builder wants to
override their system default 'sed' as make BUILD_SED=... etc.
We've also done something similar with make uses of grep, egrep
and fgrep.
Finally, for make variable naming consistency, we've replaced use
of BUILD_GPERF with USE_GPERF. Since folk may be using BUILD_GPERF
in their package building scripts, we error out if it is set.
The expectation is that people will update their package defs.
(Eventually, we plan to reuse BUILD_GPERF as an alias for 'gperf'.)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The previous commit crossed the beams on libpsx.so and libcap.so
executable build. This commit decouples them.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Mostly cause we can, but this gives a little more diagnostic
value to the libcap.so executable mode of operation.
usage: libcap.so [--help|--usage|--summary]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This function has been defined for a while (since libcap-2.30),
but I just found it wasn't documented.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Not sure where this will go, but libcap.so uses _libcap_initialize()
to set itself up at start up. So, run it when invoking libcap.so
directly as a binary.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
There seems to be a subtle difference between glibc and musl over
whether or not a runnable *.so needs to start out with its stack
aligned to 16 bytes or not. Since Linux ABIs for x86 (both 32 and
64 bit varieties) require 16 byte alignment, just force it on both
these architectures.
This addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=215009
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This was reported by Sam James and debugged with respect to:
https://bugs.gentoo.org/show_bug.cgi?id=820071
Modern versions of glibc employ SSE instructions that require the
stack to be aligned to 16 bytes in order to execute movaps and
friends to stack stored memory. The ABI for x86_64 requires this
alignment so we'd not seen this issue before being cc:d into the
bug.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This makes explaining how the program works more straightforward.
That is:
make CAPSO_DEBUG=-DCAPSO_DEBUG clean all
builds a version that prints out some helpful info and pauses so
the user can observe the capability state of the process tree at
different stages of execution.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This seems more stable for passing file descriptor from privileged
child to unprivileged parent.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I've been exploring the idea of how to create limited use privileged
binaries that can be linked into otherwise unprivileged binaries.
This is a worked example of the bootstrapping process for a webserver.
I intend to provide a more complete writeup of what is going on with this
example here:
https://sites.google.com/site/fullycapable/capable-shared-objects
For this present example to work you have to be using a libcap that
includes cap_launch support (ie., libcap 2.33+, but this code will be
included with libcap-2.61 and might inadvertently actually require
something that new to work robustly).
This code appears to be very fragile at present. It works on my
Chromebook's linux container, but not under Fedora 34 - segfaulting.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Bug reported by meitingli:
https://bugzilla.kernel.org/show_bug.cgi?id=214911
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Bug reported by Artem S. Tashkinov:
https://bugzilla.kernel.org/show_bug.cgi?id=214909
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The flag --quiet causes capsh to suppress its startup check that
the linked libcap has support for all of the named capabilities
of the hosting kernel.
The cap_launch() support is via "-+" and "=+" arguments. These use
cap_launch() to fork() before exec*()ing the corresponding command
but are otherwise equivalent to "--" and "==" respectively.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
We had somewhat inconsistent checks before, so this should cut
down on corner cases to worry about.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Previously, the atomicity was not uniformly enforced.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Improve atomicity of Launcher and IAB use within the cap package.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Modify the cap_launch() behavior when chroot is set. Now, the
launcher code will force the post chroot() environment to
chdir("/").
Modify the API for many of the cap_launch_*() functions that
previously were void, to returning int (0=OK, -1=see errno).
I'm confident that this should be code backwardly compatible,
since the return values are new and prior code would have been
assuming success.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Embed mutex locked operation into the IAB API. The idea being that
while libcap operates on an IAB tuple, it cannot be operated on by
a thread running in parallel. This makes IAB access thread safe (but
not reentrant).
The only potential API behavioral change is that the IAB tuple
associated with a cap_launcher_t is now locked for the duration of
its association with that launcher. This prevents a race condition
with launching and another thread changing that IAB tuple.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
If two threads operate on the same cap_t value, ensure that the
operations occur atomically. (Not, however, reentrantly.)
Also added some sanity checking to cap_set_nsowner() and cap_get_nsowner().
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This API avoids a complex use case that requires substantially
more code outside of libcap.
Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
In the vast majority of cases, code will not need to
override the "/proc" root directory, so treat NULL
as equivalent to "/proc".
Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Addresses the issues listed here:
https://bugzilla.kernel.org/show_bug.cgi?id=214579
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <agm@google.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This was a regresssion introduced in libcap-2.55. Fixed in libcap-2.59.
Added a cap_launch NULL test too. Comparing against NULL would cause a
SIGSEGV against these library revisions.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
In 2.54 (*Set).Compare() was deprecated in favor of (*Set).Cf(),
so update the top level comment to reflect the preferred API.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Deprecation has a stylized comment format as per go.dev.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
As with the other D(()) entries in the pam_cap.so module, this
is enabled if the /* #define PAM_DEBUG */ comment is uncommented
at the top of the pam_cap.so file.
I tried this on a sample app and it didn't actually follow the
documentation:
http://www.linux-pam.org/Linux-PAM-html/adg-interface-by-app-expected.html#adg-pam_end
where no pam_end() call was made to terminate the fork()ed copy of the pamh
value. That app needs to be fixed.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
While the session idea worked with contrib/sucap/su.c, it failed on
more traditional PAM apps. For a second (likely last) attempt to find a
path, I've deleted the session support and now attempt to do the setting
via a PAM data item cleanup() callback. In the contrib/sucap/su.c code,
evolved from the original SimplePAMApps 'su', there is a
pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT)
from within the fork()d launcher code, so I hope this convention is
standard for all the PAM apps that came after.
The suggested config for this module for an app, that wants to support
the Ambient vector, is thus now:
#%PAM-1.0
auth required pam_cap.so keepcaps defer
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
This is all part of an effort to address:
https://bugzilla.kernel.org/show_bug.cgi?id=214377
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Also include the aggressive default CFLAGS, and fix the many many
issues it uncovered. (Honestly, it was a wonder it worked at all
before.)
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This is an attempt to address:
https://bugzilla.kernel.org/show_bug.cgi?id=214377
The basic structure is you configure PAM with a config like this:
#%PAM-1.0
auth required pam_cap.so use_session keepcaps
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session optional pam_cap.so
Here the "auth" part prepares the application with "keepcaps", and the
"use_session" instructs the module to apply any IAB tuple for the user
at session open time and not during the setcred (auth) flow.
This has been tested against the contrib/sucap implementation of su.
The "use_session" support should work with more standard PAM enabled
apps too, but I'll wait for some positive feedback (see the bug)
before declaring it stable.
FWIW the contrib/sucap/su app also supports this config for Ambient
vector setting (without a "session" invocation of pam_cap.so):
#%PAM-1.0
auth required pam_cap.so
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
but that is because the sucap/su app is more tightly integrated with
libcap than the standard PAM apps.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Credit to yan12125 for finding this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=214373
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Part of the reason for the QEMU kernel test is to fully test
the library against kernels without requiring sudo.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
These were broken as a result of delaying building the test and sudotest
binaries until they were actually needed.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I've been looking at reasons packagers are not building the Go binaries
and found this with respect to RPMs:
https://github.com/rpm-software-management/rpm/issues/367
There has been no easy way to inject the otherwise unneeded workaround:
-ldflags=-linkmode=external for building (which, strangely, generates
some sort of warning and gratuitously links glibc to an otherwise
static build), but seems to work.
Until RPM supports Go's native '.note.go.buildid', and RPM requires
'.note.gnu.build-id' on binaries, I guess this can work around it:
GO_BUILD_FLAGS='-ldflags=-linkmode=external'
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
One more missing dependency for pam_cap.so building.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Based on what I see on go.dev, there seems to be some preferred
comment style for deprecating a function. Use it to help spread
the word.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Up to this point, capsh hides some complexity concerning raising
the CAP_SETPCAP in order to raise inheritable and drop bounding
set values. This made it harder to explain some aspects of
inheritance, and I ran into that detail writing this:
https://sites.google.com/site/fullycapable/why-didnt-that-work#h.z7rwbcazhr4r
Refactored capsh.c to clean up some buggy code, and also fix some
documentation, including reference to the --strict argument.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
cap.Set's have Flag component Values
cap.IAB's have Vector component Values
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Tried make -j12 and these fixes were needed.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Things like /proc/* files don't support capabilities on them and
if getcap looks at them it generates a lot of errors. Treat it as
equivalent to there being no capability on the file.
This addresses
https://bugzilla.kernel.org/show_bug.cgi?id=214317
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This addresses the feature request:
https://bugzilla.kernel.org/show_bug.cgi?id=214319
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Make build a bit quicker for folk that don't want to run tests.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Summary:
- Always keep $(WARNINGS) when overriding CFLAGS
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Disable with --colo[u]r=false or pipe into something else.
Ex. 'captree | cat'
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Added --color as an argument to make it easier to spot what you
are looking for in the output.
This addresses item (2) of:
https://bugzilla.kernel.org/show_bug.cgi?id=214269
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This addresses issue (1) of:
https://bugzilla.kernel.org/show_bug.cgi?id=214269
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
* Respect user's CFLAGS/CPPFLAGS/LDFLAGS
* Respect $(MAKE)
* Remove CPPFLAGS from link rules
Note: for in-tree built test binaries, where we build --static,
we do not apply LDFLAGS: we want to limit external
dependencies in general; and users' LDFLAGS have a strong
tendency to conflict with --static for linking.
Work in collaboration with David Seifert (ie, he wrote most of it).
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This fixes a bug preventing 'make test' from working when invoked by root.
Bug reported by David Seifert:
https://bugzilla.kernel.org/show_bug.cgi?id=214257
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
As explained (thanks David Seifert) there are some LDFLAGS that
need to precede actual linked libraries. For example, -Wl,--as-needed.
Given this, I've tried it and it appears to work for the default
build cases as captured in 'make distcheck'.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Noticed that we weren't applying the same amount of flag discipline
to local BUILD_* tool rules. Fixing that, I see we've been carrying
a source code issue in libcap/_makenames.c for a while. (FIXED).
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Some fixes, some more efficient URLs, some more coherrent cross-references.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Add some features to captree. I plan to post a companion article
here:
https://sites.google.com/site/fullycapable/captree
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I'm setting up some testing environments and they are not all
created equal.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I figured out that the key ingredient to reproducing this issue
was:
make COPTS="-D_FORTIFY_SOURCE=2 -O1 -g" clean test
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Add more debug logging.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Not sure exactly what is causing the build server to fail (can't
reproduce yet), but add some extra padding to a calloc and also
some test debugging printf()s.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This is needed to locally configure libcap to find the pid data
if the proc filesystem is not mounted at "/proc" (rare). Currently
libcap only uses this info to implement cap_iab_get_pid().
This brings libcap back to parity with the Go "cap" package.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Further observations from Zoltan Fridrich's static analysis of libcap.
This commit also includes a fix for something I broke with the last
round of "fixing", and a test to make sure I don't make that mistake
again.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
We also add the cap.ProcRoot() API to let the user redirect to their
local /proc/ directory - in case anyone runs with an unusual setup
like that.
I've been studying the downstream package definitions and no one
it doesn't seem popular to build the Go packages. Indeed, Go folk
themselves prefer to install via modules anyway, so we're getting
with the program.
However, if folk want to build test the Go stuff as part of a package
build and run an install as well, we reward them with the 'captree'
binary.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Clang helpfully noticed that libcap allocated things should be 64-bit
aligned on 64-bit platforms. Restructure the memory allocation to ensure
this.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=214183
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This series of issues was found by Zoltan Fridrich.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Use something like:
make SUDO=my_sudo sudotest
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This was inspired by a feature Debian has been patching orginally
credited to Zhi Li.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
These allow overriding of the sbin target directory with
make sbindir=xxx
or
make sbin=xxx
We've recently made some CPPFLAGS changes, so I'm not going to
disturb those further this iteration.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
We're comfortable ignoring a write return code, but not all compilers
are so display a comment when the write in the uns_test fails.
This addresses:
https://bugzilla.kernel.org/show_bug.cgi?id=214143
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The combined options 'getpcaps --iab --verbose' will show everything
in detail (even the boring stuff).
Also used this exercise to test the libcap changes for iab comparisons.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The intention was to force --static linking in only one corner case,
so be more explicit about that one, and revert the build behavior
in the others.
Reason for doing this was feedback from Arnout Vandecappelle in:
https://bugzilla.kernel.org/show_bug.cgi?id=214023#c16
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I've yet to understand why this is needed. But, apparently, folk
feel strongly that there is a reason one might want to force it
one way or another. If you don't care one way or the other, let
the Makefiles figure out something that works.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
objcopy takes an input file and an output file as arguments. If the
output file is left out, the input file will be overwritten.
Since the objcopy command used to generate loader.txt only does a
dump-section and no filtering, in practice there is no change to empty.
However, as a side-effect, its timestamp is updated. The timestamp of
empty and of loader.txt will be more or less the same; however,
loader.txt is closed just before the output file is closed, so it's
possible that the timestamp of loader.txt is just a little bit earlier.
If this happens, it causes loader.txt to be rebuilt later, which in turn
causes a number of other object files to be rebuilt.
Usually that's harmless, but it sometimes causes the rebuild to happen
during 'make install'. This is particularly annoying if 'make install'
is done as root, since loader.txt becomes owned by root in that case.
Fix this by specifying a harmless output file: /dev/null.
Fixes: ee3b25c0a877fa74d1aec88f325ac45b09963c82
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This brings libcap back to parity with the Go 'cap' package. We
provide a CAP_IAB_DIFFERS(result, vector) macro to evaluate the result
of cap_iab_compare().
Extend the getpcaps arguments to include --iab. This causes the utility
to explore the IAB tuple for the specified process. When used, this
outputs a text representation in a similar format to that of the
'captree' (Go) utility.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This is a small command line utility for doing something like pstree
but focused on revealing the full capability state of the processes
and threads shown.
This requires support provided in the cap.IABGetPID() function which
will debut in libcap-2.54. For now, the binary is only buildable from
HEAD in the git repository.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Older APIs remain but are documented as deprecated. If we ever need
to release a golang version "2" version of the library, I'll drop
support for deprecated functions, but I have no intention of needing
to do that. In the mean time, the deprecated functions are wrappers
around the new functions.
New API: *Set and *IAB have .Cf() functions now. That return a
[IAB]Diff value. This value, if 0, means the compared pointers
match one another. Non-zero values can be interogated with the
([IAB]Diff).Has() functions.
Also, add an IABGetPID() function. Since the kernel provides no
syscall support for this, we have to resort to parsing the /proc/
files. Implemented mostly for parity with the syscall backed
GetPID() *Set returning API.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Looks like the system call wrapper wasn't migrated properly when
I added support to get fakeroot (
https://bugzilla.kernel.org/show_bug.cgi?id=206539
) working again. That is, all builds in the inclusive range
libcap-[2.28, 2.53] have this issue.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This started out as a refactoring of a patch provided by Samanta Navarro.
Reworked, I noticed a latent memory leak in cap_iab_get_proc(), so I've
fixed that too.
Also, migrated a compile failure check to a more useful cap_test for a
highly unlikely corner case (future proofing). While there, noticed
and fixed the binary search test and code (not sure what it was testing
before).
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
The calloc and asprintf functions can return NULL if not enough memory
is available. The majority of the code base checks for this condition
already.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
If a string with more than UINT_MAX characters is passed into
cap_from_text, then an endless loop occurs in lookupname.
This is clearly an edge case but the fix is very simple as well:
Use size_t instead of unsigned.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This also required locally augmenting CFLAGS with -fPIC in the
Makefile's that required it.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Since 2.52 these libraries have supported being run as binaries
so install them as such.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Typos found with codespell
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Samanta Navarro included this in their suggested fix, but I missed
including it in the previous commit. Fixed now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
All credit for this fix goes to Samanta Navarro. The launch error
propagation code was evidently broken previously.
Samanta also provided a proof of concept test case and we've
included that in the tests/libcap_launch_test.c.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Discussion of one such setup in this bug (reported by David Runge):
https://bugzilla.kernel.org/show_bug.cgi?id=214023
Work around the failure to run ./pam_cap.so in these cases with
some more Makefile magic, and adjust test building with these
flags so it works in DYNAMIC=yes|no and SHARED=yes|no cases.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
I didn't realize CC=clang used to work. Now it does again.
I've also added a test build for clang in distcheck.
This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=214047
Also, add a note about pam_cap.so building after debugging:
https://bugzilla.kernel.org/show_bug.cgi?id=214023
Finally, removed a redundant LDFLAGS link directory override.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Move it to where it makes sense.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Slavi Marinov was asking about how a single webserver might use the
cap package to serve different content as a different user? So I
realized this detail wasn't obvious from the package documentation.
I also put together this example sketch:
https://play.golang.org/p/6Hr0XW3JP6a
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
That is, this 'su' is not to be installed setuid-root. It is intended
to be installed `setcap =p su`.
With latest PAM sources (ie., newer than Linux-PAM 1.5.1 [*]) and
libcap this is able to validate that ambient capabilities can be applied
by pam_cap.so. For discussion, see this bug:
https://bugzilla.kernel.org/show_bug.cgi?id=212945
Caution. I've done very little auditing of this binary. So, I expect
(and will be happy if folk find them) to hear about bugs etc. What makes
me excited is to explore the ways in which classic "setuid-root" exploit
vectors exhibit with bugs in this code...
[*] At the time of writing Linux-PAM 1.5.1 is the latest release and that
was before the needed pam_unix.so support was committed. See
https://github.com/linux-pam/linux-pam/issues/317#issuecomment-869064103
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
When Linux-PAM was getting its act together (more than two decades ago)
we cobbled together a set of system apps and made them use Linux-PAM
for authentication. Once Redhat shipped Linux-PAM, the mainstream
versions of these apps adopted Linux-PAM and these simple ones withered.
I want to explore some pam_cap.so related issues and so I've resurrected
one of them, su, which announces itself to libpam with the name "sucap".
I'm not sure where I'll go with this yet, but my first goal is to
reproduce the issue:
https://bugzilla.kernel.org/show_bug.cgi?id=212945
and validate the workaround I've added to that module is sufficient.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Deliberately free memory when appropriate as a normal part of
executing a .so object.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
A small perf optimization for the common case. Mostly, this change
is to fix a comment.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
If /proc/ isn't mounted, the command line won't be available there.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This prints module information and supports the sole optional
argument --help.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Some system libraries support being run as regular executables.
Now that I have figured out how to do it, add support for libcap.so
and libpsx.so to print some information and exit.
Note, I've explained how most of this stuff works in this answer:
https://stackoverflow.com/a/68339111/14760867
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
This is equivalent to 'capsh --print|fgrep Current'. I've been using
that combination a lot in the write-ups on the libcap website
(https://sites.google.com/site/fullycapable/) and so it struck me
that capsh probably should support it natively.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|