....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Linux Kernel

Linux Kernel Mailing List Archive

From: Walter Liu (Walter.liu@126.com)
Date: Wed Dec 29 2004 - 22:52:27 EST


Tetsuo Handa wrote:

> Hello.
>
>I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
>It seems to me that every program calls capable(CAP_SYS_ADMIN),
>even for programs such as cat(1) sed(1) ls(1).
>My environment is Fedora Core 3.
>
>The following is the patch for checking.
>
>----- Start of Patch -----
>*** sched.h.org Sat Dec 25 06:33:59 2004
>--- sched.h Wed Dec 29 13:00:53 2004
>***************
>*** 870,875 ****
>--- 870,882 ----
> #else
> static inline int capable(int cap)
> {
>+ if (cap == CAP_SYS_ADMIN) {
>+ static pid_t last_pid = 0;
>+ if (current->pid != last_pid) {
>+ printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
>lse", current->comm);
>+ last_pid = current->pid;
>+ }
>+ }
> if (cap_raised(current->cap_effective, cap)) {
> current->flags |= PF_SUPERPRIV;
> return 1;
>----- End of Patch -----
>
>Programs run as root always show "true", and run as non-root always show "false",
>but it's will be OK.
>I can't understand why every program checks for CAP_SYS_ADMIN .
>With 2.4.28 and RedHat 9, no such behavior happens.
>
>Is this normal behavior for 2.6 ?
>
>
>
The POSIX capability mechanism is the OS privilege mechanism ,
like the privilege mechanism in VMS or NT .
I think that every process for any capability have to check them,
This is a must operation..

Regards
LWT

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.