Bug#882234: systemd: CapabilityBoundingSet drops incorrect capabilities

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#882234: systemd: CapabilityBoundingSet drops incorrect capabilities

Salvo Tomaselli-3
Package: systemd
Version: 234-3~bpo9+1
Severity: normal

Dear Maintainer,

this issue might have security implications, since that's what capabilities
are used for.


See this service file:

[Unit]
Description=lala

[Service]
ExecStart=/bin/readlink /proc/1/exe
Type=oneshot
CapabilityBoundingSet=~CAP_SYS_ADMIN                                                                                                                                                  
CapabilityBoundingSet=~CAP_SYS_PTRACE                                                                                                                                                  
                                                                                                                                                                                       
[Install]                                                                                                                                                                              
WantedBy=multi-user.target                                                                                                                                                            


This runs on my machine.

However, if I change the two Capability lines into

CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE

Then readlink is denied access to the file. Despite the fact that
neither capability is supposed to do that at all!

Best

-- Package-specific info:

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to it_IT.UTF-8), LANGUAGE=it (charmap=UTF-8) (ignored: LC_ALL set to it_IT.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3+b1
ii  libapparmor1    2.11.0-3
ii  libaudit1       1:2.6.7-2
ii  libblkid1       2.29.2-1
ii  libc6           2.24-11+deb9u1
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-4
ii  libgcrypt20     1.7.6-2+deb9u2
ii  libgpg-error0   1.26-2
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0+snapshot20161117-6
ii  libkmod2        23-2
ii  liblz4-1        0.0~r131-2+b1
ii  liblzma5        5.2.2-1.2+b1
ii  libmount1       2.29.2-1
ii  libpam0g        1.1.8-3.6
ii  libseccomp2     2.3.1-2.1
ii  libselinux1     2.6-3+b3
ii  libsystemd0     234-3~bpo9+1
ii  mount           2.29.2-1
ii  procps          2:3.3.12-3
ii  util-linux      2.29.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.22-0+deb9u1
ii  libpam-systemd  234-3~bpo9+1

Versions of packages systemd suggests:
ii  policykit-1        0.105-18
pn  systemd-container  <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.130
ii  udev             232-25+deb9u1

-- no debconf information

systemd-delta.txt (531 bytes) Download Attachment
systemd-analyze-dump.txt (477K) Download Attachment
dsh-enabled.txt (6K) Download Attachment
fstab (802 bytes) Download Attachment