posted Dec 3, 2008 11:12 PM by Andrew Morgan
[
updated Aug 26, 2009 10:10 PM
]
- Fix some compilation problems (the hacky workarounds are gone now - thanks to many folk for pointing out that more recent kernels didn't like the hack that was there)
- Fixed test for setuid-0 shell scripts. Namely, they should not get capabilities when executed by someone other than root.
|
posted Dec 3, 2008 11:09 PM by Andrew Morgan
[
updated Dec 3, 2008 11:12 PM
]
- The use of sed to extract capabilities from the kernel linux/capability.h header was proving problematic (it was dropping capabilities on older systems because \t wasn't correctly handled) leading to runtime seg-faults. As such, I've replaced the sed code with some perl code which appears to be more robust.
|
posted Nov 10, 2008 5:54 PM by Andrew Morgan
[
updated Dec 3, 2008 11:09 PM
]
- Makefile tweaks
- add rule to build html (not on by default)
- add rule to suppress filesystem support from make command line:
- revise DYNAMIC=yes test
- fix INDENT test (thanks to Mike Frysinger)
- comment fix for libcap/cap_file.c
- add test (progs/quicktest.sh) for bogus capability support on shell scripts.
- added a note about this site.
- added test to see if running kernel erroneously supports capability enabled shell scripts
- revised recursive support for getcap (thanks to Lukas Kuklinek)
|
posted Oct 25, 2008 4:07 PM by Andrew Morgan
[
updated Oct 25, 2008 8:44 PM
]
- capsh now has a --decode=XXX option (use this to make sense of the capability sets you can see in /proc/<PID>/status)
$ grep Cap /proc/$$/status
CapInh: 0000000080000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
$ capsh --decode=0000000080000000
0x0000000080000000=cap_setfcap
$
- setcap binary now has a -v option (use this to verify that the capabilities on a file match what you would expect)
$ getcap setcap
setcap = cap_setfcap+i
$ setcap -v cap_setfcap=i setcap
setcap: OK
$
("= cap_setfcap+i" is equivalent to "cap_setfcap=i", read more about this with, man 3 cap_from_text .)
- Following a suggestion from the Slackware folk (Thanks Robby Workman for pointing out Pat's change). For non-development build trees (with no .git directory), link the progs/ files dynamically - they will work after they are installed. To override this behavior, you can be explicit on the make command line as follows:
- to build the programs statically (they can be used stand alone):
$ make distclean ; make DYNAMIC=no - to build the programs dynamically (they will only work correctly when installed):
$ make distclean ; make DYNAMIC=yes
- Documentation fix in cap_clear(3) for CAP_DIFFERS(), namely a non-zero value implies a difference exists.
|
|
