For example:
# capwrap --user nobody --grp nobody --cap CAP_NET_BIND_SERVICE nc -l -p 80
The wrapper would look like:
1 prtctl(PR_SET_KEEPCAPS, 1)
2 setreuid(uid,uid)
3 setregid(gid,gid)
4 desired_caps = cap_from_text(argv[caps])
5 capsetp(0,desired_caps)
6 execvp(argv[legacyapp])
This wrapper[1] (that would increase security) won't work with the current
kernel though, because at step 6, all capabilities are cleared.
It looks like when a non uid 0 process execs, all capabilities are
cleared.
The wrapper could also support chroot and setrlimit.
Dax Kelson
Guru Labs
[1] Marc Heuse wrote "compartment" that does caps OR set*uid, but not both
(see my discussion above)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/