Bug 427037 - RFE: Backport "file capabilities" feature from 2.6.24
RFE: Backport "file capabilities" feature from 2.6.24
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel (Show other bugs)
6.0
All Linux
high Severity high
: rc
: ---
Assigned To: Eric Sandeen
Red Hat Kernel QE team
: FutureFeature, Reopened, Triaged
Depends On:
Blocks: 391521
  Show dependency treegraph
 
Reported: 2007-12-30 09:59 EST by Martyn Hare
Modified: 2012-04-02 16:06 EDT (History)
12 users (show)

See Also:
Fixed In Version: kernel-2.6.32-1.el6
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-02 15:13:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Martyn Hare 2007-12-30 09:59:07 EST
POSIX File Capabilities allows processes that would normally run as root to run
with a subset of root's privileges.  This would further increase system security
as many binaries that would normally run as setuid could run with only the
capabilities they required.  In effect this would make for a very easy way of
confining what would normally be root or suid binaries/processes.  

Allowing services like httpd access to CAP_NET_BIND_SERVICE without the inital
root privileges and allowing IRCds access to CAP_SYS_CHROOT provides an easier
way to confine processes that would otherwise run as root.
Comment 2 Eric Sandeen 2008-02-05 10:42:01 EST
The initial commit for this feature, I think, was at
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b53767719b6cd8789392ea3e7e2eb7b8906898f0

Subsequent mods went in as well.
Comment 8 Daniel Riek 2008-06-19 14:08:40 EDT
Red Hat Enterprise Linux product management has reviewed this request. Based on
the complexity and intrusiveness, the requested change has been deemed
inappropriate for a backport to Red Hat Enterprise Linux 5. It will be
considered in the next major version of Enterprise Linux.
Comment 10 Bill Nottingham 2008-09-25 16:46:48 EDT
The core feature will be in RHEL 6, as we're including a late enough kernel.
Either reopen with more information re: comment #6, or open specific bugs against the components that need modified for full support (rpm, for example.)
Comment 13 Boris Ranto 2010-06-22 07:59:53 EDT
File capabilities are present, can be manipulated with setcap and file capabalities are used.

* vim cap.c       
* getcap cap
* gcc cap.c -o cap
* ./cap
chown: Operation not permitted
[borix@dhcp-31-190 ~]$ exit
* su
Password: 
[root@dhcp-31-190]# setcap cap_chown=ep cap
[root@dhcp-31-190]# exit
* ./cap
chown: Success
* ls -l /root/
ls: cannot open directory /root/: Permission denied
[borix@dhcp-31-190 ~]$ ls -l /root/ -d
dr-xr-x---. 9 1000 1000 4096 Jun 22 13:49 /root/
* cat cap.c 
#include <stdio.h>
#include <unistd.h>

int main(void){
	chown("/root", 1000, 1000);
	perror("chown");
	return 0;
}
*
Comment 16 releng-rhel@redhat.com 2010-07-02 15:13:24 EDT
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.