Bug 501666 - execcap / libcap works incorrectly WITHOUT ltrace. [NEEDINFO]
execcap / libcap works incorrectly WITHOUT ltrace.
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libcap (Show other bugs)
5.3
All Linux
low Severity high
: rc
: ---
Assigned To: Karsten Hopp
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-20 05:00 EDT by Kirby Zhou
Modified: 2014-06-02 09:03 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 09:03:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pm-rhel: needinfo? (kirbyzhou)


Attachments (Terms of Use)

  None (edit)
Description Kirby Zhou 2009-05-20 05:00:41 EDT
Description of problem:

  Cannot make execcap working correctly WITHOUT ltrace. It doesnot modify any caps, but when I use ltrace to trace it, everything goes well except bash.


Version-Release number of selected component (if applicable):

 libcap-1.10-26.x86_64
 kernel-2.6.18-128.el5
 glibc-2.5-34
 ltrace-0.5-7.45svn.el5

How reproducible:

 100%

Steps to Reproduce:

[@89.112 home]# ll
total 4
drwx------ 3 kirbyzhou kirbyzhou 4096 May 20 16:47 kirbyzhou

[@89.112 home]# execcap 'cap_chown-eip' chown 0.0 kirbyzhou/test 
### it is successful!!!! ###
[@89.112 home]# execcap 'cap_chown=' chown 0.0 kirbyzhou/test 
### it is successful!!!! ###

[@89.112 home]# ltrace execcap 'cap_chown-eip' chown 0.0 kirbyzhou/test 
__libc_start_main(0x400881, 5, 0x7fffcab71578, 0x400980, 0x400970 <unfinished ...>
getuid()                                                                         = 0
cap_from_text(0x7fffcab72c04, 0x7fffcab71578, 0x7fffcab715a8, -1, 0x3ce41512d0)  = 0x1e146014
cap_set_proc(0x1e146014, 0, 0x3ce3f0aae0, 0, 4)                                  = 0
execvp(0x7fffcab72c12, 0x7fffcab71588, 0x3ce3f0aae0, -1, 4 <unfinished ...>
unexpected breakpoint at 0x3ce3a00a6f
chown: cannot access `kirbyzhou/test': Permission denied
+++ exited (status 1) +++

[@89.112 home]# ltrace execcap 'cap_chown=' chown 0.0 kirbyzhou/test               
__libc_start_main(0x400881, 5, 0x7fffb7287c88, 0x400980, 0x400970 <unfinished ...>
getuid()                                                                         = 0
cap_from_text(0x7fffb7288c07, 0x7fffb7287c88, 0x7fffb7287cb8, -1, 0x3ce41512d0)  = 0x244b014
cap_set_proc(0x244b014, 0, 0x3ce3f0aae0, 0, 4)                                   = 0
execvp(0x7fffb7288c12, 0x7fffb7287c98, 0x3ce3f0aae0, -1, 4 <unfinished ...>
unexpected breakpoint at 0x3ce3a00a6f
chown: cannot access `kirbyzhou/test': Permission denied
+++ exited (status 1) +++

Actual results:

  See above 
 
Expected results:

  Without ltrace, execcap can limit process's capability. The following statemenet would fail.
  execcap 'cap_chown=' chown 0.0 kirbyzhou/test 

Additional info:
  
  Even with ltrace, , execcap can limit bash:

[@89.112 home]# ltrace execcap 'CAP_CHOWN=' bash                         
__libc_start_main(0x400881, 3, 0x7fff0b27aca8, 0x400980, 0x400970 <unfinished ...>
getuid()                                                                         = 0
cap_from_text(0x7fff0b27bc1b, 0x7fff0b27aca8, 0x7fff0b27acc8, -1, 0x3ce41512d0)  = 0x147f7014
cap_set_proc(0x147f7014, 0, 0x3ce3f0aae0, 0, 4)                                  = 0
execvp(0x7fff0b27bc26, 0x7fff0b27acb8, 0x3ce3f0aae0, -1, 4 <unfinished ...>
unexpected breakpoint at 0x3ce3a00a6f
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
[@89.112 home]# getpcaps $$
--- SIGCHLD (Child exited) ---
Capabilities for `22102': =
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
[@89.112 home]# chown 0.0 kirbyzhou/test
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
--- SIGCHLD (Child exited) ---
[@89.112 home]#
Comment 1 RHEL Product and Program Management 2014-03-07 08:35:23 EST
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 2 RHEL Product and Program Management 2014-06-02 09:03:43 EDT
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.