nora nora
Reputation: 21
Attempt to elevate to chroot capabilities but fails, WHY?
In order to execute
must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))
I need to grant SYS_CHROOT capability to the process as follows :
// Temporarily add SYS_CHROOT capability
if err := c.SetFlag(cap.Effective, true, cap.SYS_CHROOT); err != nil {
log.Fatalf("Failed to set capability: %v", err)
}
// Re-check the capabilities (SYS_CHROOT should now be effective)
c = cap.GetProc()
log.Printf("this process has these caps: %s", c)
// Check if the capability is granted
if on, _ := c.GetFlag(cap.Permitted, cap.SYS_CHROOT); !on {
log.Fatalf("Insufficient privilege to execute syscall.Chroot - required capability not granted")
}
// Execute the syscall.Chroot operation
must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))
// Remove SYS_CHROOT capability
if err := c.SetFlag(cap.Effective, false, cap.SYS_CHROOT); err != nil {
log.Fatalf("Failed to remove capability: %v", err)
}
But I get exit:status 1 Insufficient privilege to execute syscall.Chroot - required capability not granted, which means the process hasn't been granted chroot capabilities. Any clue on what could be the problem ?
Upvotes: 1
Views: 140
Answers (1)
Tinkerer
Reputation: 1068
The c.SetFlag(...) call only raises the effective bit in the c capability Set. You also need to apply that cap.Set to the process with c.SetProc():
if err := c.SetProc(); err != nil {
log.Fatalf("Failed to apply capabilities, %q: %v", c, err)
}
Upvotes: 1
Related Questions
- Unable to drop all capabilities but CAP_SETUID
- Why many Linux distros use setuid instead of capabilities?
- Why is some output from system() missing when I debug program with qemu & chroot
- Why my code works without chroot function, but fail with chroot function?
- dlopen fails in chroot
- segfault appears in linux container start, but fine with chroot?
- leaving the chroot in place if pdebuild fails?
- Why isn't chroot working?