Capabilities stored but not usable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| eCryptfs |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Summary:
On an eCryptfs mount (say, a home directory), file capabilities can be set and retrieved, but when executed, they do not have any affect.
To reproduce, run the following from within an eCryptfs mount:
- Build the attached captest.c sample & set the raw socket capability on the resultant executable:
gcc captest.c -o captest
sudo setcap cap_net_raw+eip captest
- Verify that capabilites were indeed set (you should see "captest = cap_net_raw+eip"):
getcap captest
- Run ./captest and I get "raw socket(2) failed: Operation not permitted" (i.e. the capability did not apply to the process execution)
- Try these steps again elsewhere (e.g. /tmp) and verify that no error is reported
Affected versions:
Ubuntu 12.10 64 bit
3.5.0-25-generic #38-Ubuntu SMP Mon Feb 18 23:27:42 UTC 2013
Comments:
This was known to work in previous releases of Ubuntu.
Looking under /home/.
CVE References
| Peter McCormick (launrhpad) wrote | #1 |
| Tyler Hicks (tyhicks) wrote | #2 |
| Changed in ecryptfs: | |
| status: | New → Invalid |
Thanks for taking the time to report this bug, Peter.
Between 12.04 and 12.10, we had to start mounting encrypted home with the nosuid mount option to address CVE-2012-3409. I've verified that this is the reason why you can no longer use capabilities as you've described in the bug description.
I would suggest that you move the binary outside of your encrypted home directory so that you can still use capabilities. Sorry for the inconvenience.