From: <kl...@ta...> - 2007-02-13 12:48:53
|
Christian S wrote: > On 2/13/07, Claes Wikström <kl...@ta...> wrote: >> Tobias Oberstein wrote: >> > Maybe this saves some one a little research time .. >> > >> > Assuming you want to run Yaws/SSL under a non-root user "erlang" >> > on ports 80/443. >> >> Excellent - I added it to the wiki. It seems to me that this feature is >> sorely missing in Linux. It really ought to be possible to do this >> with e.g. capabilities without touching the source code. > > I tried to make a setuid program in linux to allow capabilities to > remain over nonzero setuid() and exec(). I called exec on "cat > /proc/self/status" and it had retained the CAP_NET_BIND_SERVICE > (binding ports under 1024) capability under its non-zero user id. > > However, when starting erl the /proc/PID/status file showed only > all zero-capabilities. > > Not sure what happened. Anyone know details of linux caps and what > can stop their propagation to new executables and processes? erl is a > script that starts beam, and the shell running the script might be > removing all caps from propagating, as a paranoid security measure? Sounds reasonable ... last time I had a look at the linux capabilities they didn't work at all .... at least nor for me so I ended up patching the kernel, simply removing the check. If capabilities work now _and_ they are not propagated through shellscripts, it is the beam executable that should be modified. /klacke -- Claes Wikstrom -- Caps lock is nowhere and http://www.tail-f.com -- everything is under control cellphone: +46 70 2097763 |