tags:

views:

79

answers:

1
Q: 

Grant capabilities to a running process

An already running process needs a privileged instruction, like using the SO_RCVBUFFORCE socket option. This process is running as a normal user process.

How to give capability/permission to this process? File-based capability settings are still a dream?

I have tried the /usr/sbin/setpcaps utility from libcap package and the cap_set_proc() api, but the CAP_SETPCAP capability is blocked on the system (a legacy system based on Fedora 4 with 2.6.20 kernel), so it can not grant/remove capabilities for a different-then-self process.

Thought about setting temporary root uid to that process, but is there a way to change the effective UID of an external, already running process ? The setuid()/seteuid()/... functions can just modify the current process (who is calling the function).

A: 

You can't. The security model behind capabilities (rather, the "permitted set of capabilities") is that they can be dropped by a process, never added.

If you can't set things up in your architecture such that the capabilities are inherited properly from the parent(s) of the process, you might try doing the setsocktopt() call in a separate process using file descriptor passing. That is, set up a "sockopt daemon" running at the needed privilege level, connect to it with your new socket, pass the file descriptor with sendmsg(), and let it do the necessary calls. This is an ugly API, and the solution is needlessly complicated. But it might be preferable to rearchitecting the launch and initialization structure of your app.

Andy Ross  2009-09-14 17:22:09
If CAP_SETPCAP would be enabled, it IS possible to add new capabilities to a process vith cap_set_proc().
CsTamas  2009-09-15 06:05:52
I accept this answer as it pointed towards the possible solution: either have a daemon and pass the socket using file descriptor passing (See post of Kragen Sitaker at http://lists.canonical.org/pipermail/kragen-hacks/2002-January/000292.html), or have a utility (executable with setuid flag) started for each request with fork() + exec() which will inherit the socket descriptor
CsTamas  2009-10-15 09:11:49

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?