grsecurity forums

[laci]

I have just upgraded from 2.4.18 + 1.9.4 to 2.4.19 + 1.9.6.
This means converting my system to the new ACL system (which looks a lot more likeable - except for this problem).

However, I lost one functionality: giving extra capabilities to non-root binaries. I used to run named in a chroot environment, where a single binary (/usr/sbin/cage) does chdir(), chroot(), setgroups(), setgid(), setuid() before execing named. This means that the process is running as a normal user, thus cannot bind port 53. So I give CAP_NET_BIND_SERVICE to that binary, like this (proc.acl):
/var/named/usr/sbin/named {
/var/named rx
/var/named/dev/null rw
/var/named/dev/zero rw
/var/named/var/run rwx
/var/named/var/log/named rwx
/var/named/var/named/internal/dump rwx
/var/named/var/named/internal/secondary rwx
/var/named/var/named/external/dump rwx
/var/named/var/named/external/secondary rwx
+CAP_NET_BIND_SERVICE
}
This setup used to work with the old ACL system but now it does not work.

My $2 question: is this the expected behaviour from 1.9.6, or am I missing something?
If this new ACL system (as documented) is supposed to only restrict rights and not augment it (by giving non-root users extra privileges), what can I do to relax this assumption regarding the use of capabilities?

[spender]

Named doesn't really get that capability as a non-root user. What it does is uses several capabilities at startup, does what it needs to do with those capabilities, drops them, does a prctl which says that it can keep its capabilities across setuid's, then it drops all capabilities but CAP_NET_BIND_SERVICE. The reason why bind isn't running is because it still needs those bunch of capabilities it uses at startup. There's no worries in granting them to it, because it drops them after it uses them. Alternatively, you can enable gradm after you start bind, and it'll apply it's ACL to it and work fine with just +CAP_NET_BIND_SERVICE.

-Brad