diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2016-01-30 16:11:04 -0800 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2016-01-30 16:11:04 -0800 |
commit | 22579a76da810d3cc58cf3e802b29a28082ea5cd (patch) | |
tree | be85e233df3f5998859cbcc298dfab9b1ce3cc74 | |
parent | 85f38a573fc47472ab792e813b6f6b6f0b1df112 (diff) | |
download | libcap-22579a76da810d3cc58cf3e802b29a28082ea5cd.tar.gz |
Sigh. Compiling capsh statically and we get no getpw*() functions.
This is, at least, true on my Fedora based system. The chroot tests
won't work with a dynamic binary, so stop using --user and use --uid
instead.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
-rwxr-xr-x | progs/quicktest.sh | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/progs/quicktest.sh b/progs/quicktest.sh index ca6bf1e..48c9b9e 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -89,21 +89,25 @@ if [ $? -ne 0 ]; then exit 0 fi +# nobody's uid. Static compilation of the capsh binary can disable pwd +# info discovery. +nouid=$(/usr/bin/id nobody -u) + pass_capsh --secbits=42 --print fail_capsh --secbits=32 --keep=1 --keep=0 --print pass_capsh --secbits=10 --keep=0 --keep=1 --print -fail_capsh --secbits=47 -- -c "./tcapsh --user=nobody" +fail_capsh --secbits=47 -- -c "./tcapsh --uid=$nouid" rm -f tcapsh # Suppress uid=0 privilege -fail_capsh --secbits=47 --print -- -c "./capsh --user=nobody" +fail_capsh --secbits=47 --print -- -c "./capsh --uid=$nouid" # suppress uid=0 privilege and test this privileged -pass_capsh --secbits=0x2f --print -- -c "./privileged --user=nobody" +pass_capsh --secbits=0x2f --print -- -c "./privileged --uid=$nouid" # observe that the bounding set can be used to suppress this forced capability -fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=nobody" +fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --uid=$nouid" # change the way the capability is obtained (make it inheritable) ./setcap cap_setuid,cap_setgid=ei ./privileged @@ -111,7 +115,7 @@ fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=n # Note, the bounding set (edited with --drop) only limits p # capabilities, not i's. pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \ - --uid=500 --print -- -c "./privileged --user=nobody" + --uid=500 --print -- -c "./privileged --uid=$nouid" rm -f ./privileged @@ -139,7 +143,7 @@ if [ $status -ne 0 ]; then fi # Max lockdown -pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \ +pass_capsh --keep=1 --uid=$nouid --caps=cap_setpcap=ep \ --drop=all --secbits=0x2f --caps= --print # Verify we can chroot |