| View previous topic :: View next topic |
| Author |
Message |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21593
|
 Posted: Fri Mar 26, 2021 7:25 pm Post subject: |
 |
|
| I asked my above question thinking about user xattrs, which must be enabled separately. However, your problem is with capability xattrs. I see nothing in the documentation suggesting that you need special mounting to facilitate those, so I don't know why your system is not already working. I have no further advice at this time. Sorry. |
|
| Back to top |
|
 |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Fri Mar 26, 2021 9:35 pm Post subject: |
|
|
| Hu wrote: | | I asked my above question thinking about user xattrs, which must be enabled separately. |
amd how do I set user xattrs?
| Hu wrote: | | However, your problem is with capability xattrs. |
I must confess, I don't understand what's the difference.
| Hu wrote: | | I have no further advice at this time. Sorry. |
no worries, thanks anyway.
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21593
|
| Posted: Sat Mar 27, 2021 4:05 am Post subject: |
|
|
You would need the mount option user_xattr, either implicitly or explicitly, to allow use of user xattrs. However, since those are not relevant to your problem, fixing that will not help you.
User xattrs and capability xattrs are in different parts of the xattr namespace, and serve different purposes. Capability xattrs are how file capabilities are implemented/remembered. |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Sat Mar 27, 2021 11:31 am Post subject: |
|
|
| Hu wrote: | You would need the mount option user_xattr, either implicitly or explicitly, to allow use of user xattrs. However, since those are not relevant to your problem, fixing that will not help you.
User xattrs and capability xattrs are in different parts of the xattr namespace, and serve different purposes. Capability xattrs are how file capabilities are implemented/remembered. |
Thanks for explaining it, but I'm still a little bit confused. Do you have a wiki page/article that explain these things in more detail?
But I also would like to know: who is responsible for setting the capability xattrs to /sbin/unix_chkpwd? The build system, the package maintainer, the sysadmin aka user? And how do you do that. Also what does really cap_dac_override=ep really mean?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21593
|
| Posted: Sat Mar 27, 2021 4:17 pm Post subject: |
|
|
I know of no documentation to which to refer you, though it probably exists somewhere.
Capabilities can be set by the upstream build system or by the ebuild. In this case, I see as the end of sys-libs/pam's pkg_postinst: | Code: | # The pam_unix module needs to check the password of the user which requires
# read access to /etc/shadow only.
fcaps cap_dac_override sbin/unix_chkpwd
|
Thus, for this package, the answer is that the ebuild sets it. End users should never need to set permissions or capabilities on files installed by Portage, because those files may be replaced on upgrade and the user's changes lost. This would lead to considerable tedium for users.
You can set capabilities using setcap. cap_dac_override=ep means that the capability DAC_OVERRIDE is both effective and permitted. Per man capabilities: | Code: | CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks. (DAC is an ab‐
breviation of "discretionary access control".) |
For this purpose, it means that unix_chkpwd can read and write files that its owning uid (your regular user) ordinarily cannot access. This allows it to read your hashed password from /etc/shadow, which is otherwise readable only by root. When run without this capability, it cannot read /etc/shadow, so it cannot determine whether the entered password is the correct one. |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Sun Mar 28, 2021 1:48 am Post subject: |
|
|
OK, thanks.
I just set the capability by hand with setcap cap_dac_override=ep /sbin/unix_chkpwd and now when I do getcap I get this:
| Code: |
$ getcap /sbin/unix_chkpwd
/sbin/unix_chkpwd cap_dac_override=ep
|
I then removed the suid bit and locked xscreensaver and now it accepted the password. Great!
Only thing I don't understand is why the capabilities were not set, even though USE=filecaps is set for sys-libs/pam:
| Code: |
# emerge sys-libs/pam -pv
* WARNING: The FEATURES variable contains one or more values that
* should be disabled under normal circumstances: keepwork
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-libs/pam-1.5.1::gentoo USE="berkdb filecaps (split-usr) -audit -debug -nis (-selinux)" ABI_X86="32 (64) (-x32)" 1,382 KiB
|
I wonder whether there are other packages where the ebuild set the capability but the files themselves do not have any capability set. euse -I shows a couple of packages , for example iputils sets capabilities for bin/ping and bin/arping and getcap shows capabilities for these files.
Anyway, you helped me a lot, thanks 
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
