LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-30-2003, 03:54 AM   #1
Anniebaby
LQ Newbie
 
Registered: Oct 2003
Location: China
Posts: 6

Rep: Reputation: 0
Unhappy help me !


I now am doing some work on linux kernel.I want to reduce the
capabilitis of the executable file which has "S" bit. from beginning ,I do from "ping" .I drop of some of useless capability of
ping's when it is running in the kernel .but when I use the "my new" ping now,I always get system information "ping: icmp open socketperation not permitted!"I think I have give it enough capabilities: they are CAP_MKNOD and CAP_NET_RAW. I also get ping 's source code ,it says:it has to run suid to become root" I can't understand it's meaning!I have given ping "euid=0".I read some kernel source code of the part of net and vfs ,but can't find where to produce the error msg"ping: icmp open socketperation not permitted"I think if I can find where it is I will know what to do next!
So if kernel has do something else check?
pls tell me and help me !
thanks!
 
Old 10-30-2003, 07:40 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
please use useful thread titles in future "help me!!" is less than useless, thanks
 
Old 10-30-2003, 01:01 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
I always get system information "ping: icmp open socket operation not permitted!"
...when running ping, and without setuid bit, and as unprivileged user, right? Your process probably hasn't got the right to set capabilities to allow socket operations. AFAIK you inherit those from your shell, spose thats why they call 'em "unprivileged" users (pgrep bash | xargs getpcaps)...
How did you determine what capabilities ping doesn't need in the first place?
How can you grant privileges when your user hasn't got CAP_SETPCAP in the first place?
And how does removing setuid bit make operating ping more safe when you still need those root privileges?

Maybe you should read the libpcap package docs? BTW, isn't using Grsecurity (or other) per-process ACL's an easier way to loose the caps?
 
Old 10-30-2003, 09:51 PM   #4
Anniebaby
LQ Newbie
 
Registered: Oct 2003
Location: China
Posts: 6

Original Poster
Rep: Reputation: 0
Red face I can do it with less capability!

Thank you for your help!And sorry for my last expression "help me" hehe--So you know my English is poor.
after I posted the thead I tried still.I found ping's source code uses the setuid( ) function--I can come to the conclusion:it must need the CAP_SETUID---so I add this capability to it.and "ping" now woks well .
So the capabilities the ping uses is at the most three:CAP_SETUID,CAP_MKNOD,and CAP_NET_RAW
All the work I do now is to prove the principle of the least privilege of system.I think even if the buffer overflow happens,the attacker only gets few privilege---because the process space is not changed.--is it right? I focus my mind on SUID to complete my thesis.
the work I do above is on the compute_cred() and some other functions of linux source.Perhaps something else more complex I have not noticed !So I have to try my best!
Do you think it worthy?
I once thought about ACL ----yes if I have enough time I will do it !I just have a try on the command "ping"
thank you !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why no MP3 capability? rusty_slacker Fedora 3 10-31-2005 03:45 PM
Capability g26108 Linux - General 1 09-30-2005 05:47 PM
Terminal Services Capability lxuzer Linux - Networking 7 07-26-2005 07:27 AM
syslogd capability in cygwin? Jay_hizownsef Linux - General 0 06-11-2003 12:28 PM
Linux Capability nitr0gen Programming 0 02-15-2002 08:31 AM


All times are GMT -5. The time now is 10:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration