Bug 427037

Summary: RFE: Backport "file capabilities" feature from 2.6.24
Product: Red Hat Enterprise Linux 6 Reporter: Martyn Hare <martyn.hare>
Component: kernelAssignee: Eric Sandeen <esandeen>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: branto, emcnabb, eparis, esandeen, jbacik, jplans, k.georgiou, notting, sgrubb, snagar, sputhenp, tao
Target Milestone: rcKeywords: FutureFeature, Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.32-1.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-02 19:13:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 391521    

Description Martyn Hare 2007-12-30 14:59:07 UTC 
POSIX File Capabilities allows processes that would normally run as root to run
with a subset of root's privileges.  This would further increase system security
as many binaries that would normally run as setuid could run with only the
capabilities they required.  In effect this would make for a very easy way of
confining what would normally be root or suid binaries/processes.  

Allowing services like httpd access to CAP_NET_BIND_SERVICE without the inital
root privileges and allowing IRCds access to CAP_SYS_CHROOT provides an easier
way to confine processes that would otherwise run as root.
Comment 2 Eric Sandeen 2008-02-05 15:42:01 UTC 
The initial commit for this feature, I think, was at
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b53767719b6cd8789392ea3e7e2eb7b8906898f0

Subsequent mods went in as well.
Comment 8 Daniel Riek 2008-06-19 18:08:40 UTC 
Red Hat Enterprise Linux product management has reviewed this request. Based on
the complexity and intrusiveness, the requested change has been deemed
inappropriate for a backport to Red Hat Enterprise Linux 5. It will be
considered in the next major version of Enterprise Linux.
Comment 10 Bill Nottingham 2008-09-25 20:46:48 UTC 
The core feature will be in RHEL 6, as we're including a late enough kernel.
Either reopen with more information re: comment #6, or open specific bugs against the components that need modified for full support (rpm, for example.)
Comment 13 Boris Ranto 2010-06-22 11:59:53 UTC 
File capabilities are present, can be manipulated with setcap and file capabalities are used.

* vim cap.c       
* getcap cap
* gcc cap.c -o cap
* ./cap
chown: Operation not permitted
[borix@dhcp-31-190 ~]$ exit
* su
Password: 
[root@dhcp-31-190]# setcap cap_chown=ep cap
[root@dhcp-31-190]# exit
* ./cap
chown: Success
* ls -l /root/
ls: cannot open directory /root/: Permission denied
[borix@dhcp-31-190 ~]$ ls -l /root/ -d
dr-xr-x---. 9 1000 1000 4096 Jun 22 13:49 /root/
* cat cap.c 
#include <stdio.h>
#include <unistd.h>

int main(void){
	chown("/root", 1000, 1000);
	perror("chown");
	return 0;
}
*
Comment 16 releng-rhel@redhat.com 2010-07-02 19:13:24 UTC 
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.