Mailing List Archive

Capabilities support with 2.6 broken?
I just tried to install quagga on my system that is running
2.6.0-test2-mm2 kernel. When I try to start the zebra daemon, it fails
with "privs_init: initial cap_set_proc failed: Operation not permitted"
(i changed the fprintf to perror to get the errno result). Has anyone
else seen this problem?
Re: Capabilities support with 2.6 broken? [ In reply to ]
On Thu, 21 Aug 2003, David T Hollis wrote:

> I just tried to install quagga on my system that is running
> 2.6.0-test2-mm2 kernel. When I try to start the zebra daemon, it
> fails with "privs_init: initial cap_set_proc failed: Operation not
> permitted" (i changed the fprintf to perror to get the errno
> result). Has anyone else seen this problem?

are you running zebra as root?

with what args? does it work if you specify '-u root'? if so, make
sure you have created the 'quagga' user and groups. The Quagga
daemons all need to start initially as root, after which the daemons
will change user/group to quagga (or whatever you compile in, or
whatever you specify as the -u arg).

regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
Interchangeable parts won't.
Re: Capabilities support with 2.6 broken? [ In reply to ]
Paul Jakma wrote:

>On Thu, 21 Aug 2003, David T Hollis wrote:
>
>
>
>>I just tried to install quagga on my system that is running
>>2.6.0-test2-mm2 kernel. When I try to start the zebra daemon, it
>>fails with "privs_init: initial cap_set_proc failed: Operation not
>>permitted" (i changed the fprintf to perror to get the errno
>>result). Has anyone else seen this problem?
>>
>>
>
>are you running zebra as root?
>
>with what args? does it work if you specify '-u root'? if so, make
>sure you have created the 'quagga' user and groups. The Quagga
>daemons all need to start initially as root, after which the daemons
>will change user/group to quagga (or whatever you compile in, or
>whatever you specify as the -u arg).
>
>regards,
>
>
[root@dhollis-lnx zebra]# ./zebra -d
uid=100, euid=100
privs_init: initial cap_set_proc failed: Operation not permitted
[root@dhollis-lnx zebra]# ./zebra -u root -d
uid=0, euid=0
privs_init: initial cap_set_proc failed: Operation not permitted
[root@dhollis-lnx zebra]# id quagga
uid=100(quagga) gid=102(quagga) groups=102(quagga)


I am able to run successfully if I #undef HAVE_LCAPS in config.h, but
that removes all of the capability stuff and certainly isn't what I want
for long term.
Re: Capabilities support with 2.6 broken? [ In reply to ]
Paul Jakma wrote:

>On Thu, 21 Aug 2003, David T Hollis wrote:
>
>
>
>>[root@dhollis-lnx zebra]# ./zebra -d
>>uid=100, euid=100
>>privs_init: initial cap_set_proc failed: Operation not permitted
>>[root@dhollis-lnx zebra]# ./zebra -u root -d
>>uid=0, euid=0
>>privs_init: initial cap_set_proc failed: Operation not permitted
>>[root@dhollis-lnx zebra]# id quagga
>>uid=100(quagga) gid=102(quagga) groups=102(quagga)
>>
>>
>
>hmm... something must have changed in 2.6 (you're the first person
>i've heard of who's tried zebra on 2.6). can you get me a strace?
>
>
>
>>I am able to run successfully if I #undef HAVE_LCAPS in config.h,
>>but that removes all of the capability stuff and certainly isn't
>>what I want for long term.
>>
>>
>
>yes indeed :)
>
>regards,
>
>
[root@dhollis-lnx zebra]# strace ./zebra -d
execve("./zebra", ["./zebra", "-d"], [/* 33 vars */]) = 0
uname({sys="Linux", node="dhollis-lnx.kpmg.com", ...}) = 0
brk(0) = 0x8075000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=53357, ...}) = 0
old_mmap(NULL, 53357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40000000
close(3) = 0
open("/lib/libcap.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\4M\tI4"...,
512) = 512
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x4000e000
fstat64(3, {st_mode=S_IFREG|0755, st_size=12276, ...}) = 0
old_mmap(0x49094000, 14548, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x49094000
old_mmap(0x49097000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x2000) = 0x49097000
close(3) = 0
open("/lib/tls/libm.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0U\4I4"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=212992, ...}) = 0
old_mmap(0x49042000, 137744, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x49042000
old_mmap(0x49063000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x20000) = 0x49063000
close(3) = 0
open("/lib/libcrypt.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240ywI"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=24848, ...}) = 0
old_mmap(0x49777000, 181212, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x49777000
old_mmap(0x4977c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x4000) = 0x4977c000
old_mmap(0x4977d000, 156636, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4977d000
close(3) = 0
open("/lib/tls/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\270\361"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1542120, ...}) = 0
old_mmap(0x48f06000, 1263080, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x48f06000
old_mmap(0x49035000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x12f000) = 0x49035000
old_mmap(0x49038000, 9704, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x49038000
close(3) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x4000f000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4000f078,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40000000, 53357) = 0
umask(027) = 022
brk(0) = 0x8075000
brk(0x8096000) = 0x8096000
brk(0) = 0x8096000
socket(PF_UNIX, SOCK_DGRAM, 0) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_UNIX, path="/dev/log"}, 16) = 0
socket(PF_UNIX, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=1686, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40000000
read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1686
read(4, "", 4096) = 0
close(4) = 0
munmap(0x40000000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=53357, ...}) = 0
old_mmap(NULL, 53357, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40000000
close(4) = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\35\0"...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=51152, ...}) = 0
old_mmap(NULL, 41904, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40010000
old_mmap(0x4001a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
4, 0xa000) = 0x4001a000
close(4) = 0
munmap(0x40000000, 53357) = 0
open("/etc/passwd", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40000000
read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672
close(4) = 0
munmap(0x40000000, 4096) = 0
socket(PF_UNIX, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=631, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40000000
read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 631
close(4) = 0
munmap(0x40000000, 4096) = 0
setgroups32(0x1, 0x8074560) = 0
open("/etc/group", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=631, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40000000
read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 631
close(4) = 0
munmap(0x40000000, 4096) = 0
setregid32(0x66, 0x66) = 0
prctl(0x8, 0x1, 0, 0, 0) = 0
setreuid32(0x64, 0x64) = 0
capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN,
CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, }) = -1 EPERM (Operation not
permitted)
write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial
cap_set_proc failed
) = 40
exit_group(1)
Re: Capabilities support with 2.6 broken? [ In reply to ]
On Fri, 22 Aug 2003, David T Hollis wrote:

> setregid32(0x66, 0x66) = 0
> prctl(0x8, 0x1, 0, 0, 0) = 0
> setreuid32(0x64, 0x64) = 0
> capset(0x19980330, 0, {CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN,
> CAP_NET_ADMIN|CAP_NET_RAW|CAP_SYS_ADMIN, }) = -1 EPERM (Operation not
> permitted)
> write(2, "privs_init: initial cap_set_proc"..., 40privs_init: initial
> cap_set_proc failed
> ) = 40
> exit_group(1)

bah.. something must have changed in 2.6 wrt to capabilities.

For the time being, just build it with HAVE_LCAPS removed - it will
instead use root<-><quagga user> euid switching, which still affords
some protection¹.

1. Obviously a clever hacker can still get through, but I believe it
makes it slightly harder for them to raise privileges back to root
and /still/ run their own exploit code afterwards.

regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
Don't get suckered in by the comments -- they can be terribly misleading.
Debug only code.
-- Dave Storer