ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My goal is to set some capabilities to process dynamically and then using setuid and setgid go to non root.
So that some of the capabilities can be still there to the process even after turns in to non root.
But it does not reflect in the cap_get_flag or /proc/<pid>/status in the CapEff.
below is the complete code
Code:
#include <stdio.h>
#include <sys/capability.h>
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
int main() {
cap_t caps,capsg;
cap_value_t cap_list[3];
cap_list[0] = CAP_SETUID;
cap_list[1] = CAP_SETGID;
cap_list[2] = CAP_NET_ADMIN;
caps = cap_get_proc();
if(caps != NULL) {
cap_set_flag(caps, CAP_EFFECTIVE, 3, cap_list, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, 3, cap_list, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 3, cap_list, CAP_SET);
cap_set_proc(caps);
} else {
syslog(LOG_DEBUG, "Cap_get_proc() failed");
}
if (caps == NULL) {
perror("cap_get_proc");
return 1;
}
if (!setgid(500)) {
printf("Success in setting Srvr to non root group: euid %d egid %d \n",geteuid(), getegid());
if (!setuid(2006)) {
printf("Success in setting Srvr to non root user :euid %d egid %d \n",geteuid(), getegid());
} else {
printf("Failure in setting Srvr back to root group after setuid failure :euid %d egid %d \n",geteuid(), getegid());
}
} else {
printf("Failure in setting Srvr to non root group,continuing with root user \n");
}
capsg = cap_get_proc();
cap_flag_value_t flag_value;
if (cap_get_flag(capsg, CAP_NET_ADMIN, CAP_EFFECTIVE, &flag_value) == -1) {
perror("cap_get_flag");
return 1;
}
if (flag_value == CAP_SET) {
printf("CAP_NET_BIND_SERVICE capability is set.\n");
} else {
printf("CAP_NET_BIND_SERVICE capability is not set.\n");
}
sleep(10000);
cap_free(caps);
cap_free(capsg);
return 0;
}
output:
Success in setting Srvr to non root group: euid 0 egid 500
Success in setting Srvr to non root user :euid 2006 egid 500
CAP_NET_BIND_SERVICE capability is not set.
According to capabilities(7), capability sets are reset on a 0 -> non-zero UID transition (amongst other happenings) unless you use prctl() to set certain flags on the process. I'd start by giving that man-page a good read.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.