427037 – RFE: Backport "file capabilities" feature from 2.6.24

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 427037 - RFE: Backport "file capabilities" feature from 2.6.24

Summary: RFE: Backport "file capabilities" feature from 2.6.24

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Sandeen
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	391521
TreeView+	depends on / blocked

Reported:	2007-12-30 14:59 UTC by Martyn Hare
Modified:	2018-11-27 20:15 UTC (History)
CC List:	12 users (show)
Fixed In Version:	kernel-2.6.32-1.el6
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-02 19:13:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martyn Hare 2007-12-30 14:59:07 UTC

POSIX File Capabilities allows processes that would normally run as root to run
with a subset of root's privileges.  This would further increase system security
as many binaries that would normally run as setuid could run with only the
capabilities they required.  In effect this would make for a very easy way of
confining what would normally be root or suid binaries/processes.  

Allowing services like httpd access to CAP_NET_BIND_SERVICE without the inital
root privileges and allowing IRCds access to CAP_SYS_CHROOT provides an easier
way to confine processes that would otherwise run as root.

Comment 2 Eric Sandeen 2008-02-05 15:42:01 UTC

The initial commit for this feature, I think, was at
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b53767719b6cd8789392ea3e7e2eb7b8906898f0

Subsequent mods went in as well.

Comment 8 Daniel Riek 2008-06-19 18:08:40 UTC

Red Hat Enterprise Linux product management has reviewed this request. Based on
the complexity and intrusiveness, the requested change has been deemed
inappropriate for a backport to Red Hat Enterprise Linux 5. It will be
considered in the next major version of Enterprise Linux.

Comment 10 Bill Nottingham 2008-09-25 20:46:48 UTC

The core feature will be in RHEL 6, as we're including a late enough kernel.
Either reopen with more information re: comment #6, or open specific bugs against the components that need modified for full support (rpm, for example.)

Comment 13 Boris Ranto 2010-06-22 11:59:53 UTC

File capabilities are present, can be manipulated with setcap and file capabalities are used.

* vim cap.c       
* getcap cap
* gcc cap.c -o cap
* ./cap
chown: Operation not permitted
[borix@dhcp-31-190 ~]$ exit
* su
Password: 
[root@dhcp-31-190]# setcap cap_chown=ep cap
[root@dhcp-31-190]# exit
* ./cap
chown: Success
* ls -l /root/
ls: cannot open directory /root/: Permission denied
[borix@dhcp-31-190 ~]$ ls -l /root/ -d
dr-xr-x---. 9 1000 1000 4096 Jun 22 13:49 /root/
* cat cap.c 
#include <stdio.h>
#include <unistd.h>

int main(void){
	chown("/root", 1000, 1000);
	perror("chown");
	return 0;
}
*

Comment 16 releng-rhel@redhat.com 2010-07-02 19:13:24 UTC

Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.