AntonioCS
Reputation: 8506
Using linux capabilities in c
I am trying to understand how capabilities work and I am using code from here:
https://gist.github.com/sbz/1090868
I created an array with all the permissions:
cap_value_t cap_list_[] = {
CAP_CHOWN,
CAP_DAC_OVERRIDE,
CAP_DAC_READ_SEARCH,
CAP_FOWNER,
CAP_FSETID,
CAP_KILL,
CAP_SETGID,
CAP_SETUID,
CAP_SETPCAP,
CAP_LINUX_IMMUTABLE,
CAP_NET_BIND_SERVICE,
CAP_NET_BROADCAST,
CAP_NET_ADMIN,
CAP_NET_RAW,
CAP_IPC_LOCK,
CAP_IPC_OWNER,
CAP_SYS_MODULE,
CAP_SYS_RAWIO,
CAP_SYS_CHROOT,
CAP_SYS_PTRACE,
CAP_SYS_PACCT,
CAP_SYS_ADMIN,
CAP_SYS_BOOT,
CAP_SYS_NICE,
CAP_SYS_RESOURCE,
CAP_SYS_TIME,
CAP_SYS_TTY_CONFIG,
CAP_MKNOD,
CAP_LEASE,
CAP_AUDIT_WRITE,
CAP_AUDIT_CONTROL,
CAP_SETFCAP,
CAP_MAC_OVERRIDE,
CAP_MAC_ADMIN
};
I then try to disable everything:
if (cap_set_flag(cap, CAP_PERMITTED, 34, cap_list_, CAP_CLEAR) == -1) {
perror("cap_set_flag cap_mac_admin");
cap_free(cap);
exit(-1);
}
if (cap_set_flag(cap, CAP_EFFECTIVE, 34, cap_list_, CAP_CLEAR) == -1) {
perror("cap_set_flag cap_mac_admin");
cap_free(cap);
exit(-1);
}
I then try to do the following:
chown("/home/user/test/file", 500, 500);
This works. This changes the owner of the file. This is just for testing purposes but I thought with all the permissions revoked I would not be able to do this.
Upvotes: 0
Views: 2502
Answers (1)
Douglas Leeder
Reputation: 53320
You need to call cap_set_proc with your local variable changes to apply them to your process/thread.
Upvotes: 1
Related Questions
- How to find out what Linux capabilities a process requires to work?
- Changing capabilities of the process
- File capabilities do not transfer to process once executed
- Test for linux CAP_FOWNER capability in C?
- Request Linux Capabilities During Runtime
- How to use CAP_SYS_ADMIN
- What does it means to have a capability only in the inheritable set?
- Linux inheritable capability cleared on program start
- Do Linux capabilities partition the possible privileged operations?
- Grant capabilities to a running process