| 1 |
Hi there, im currently maintaining the gnupg ebuild for Gentoo and I'm |
| 2 |
trying to get gpg's linux capability support working (or at least verify |
| 3 |
that it does work for those who know how to use it), unfortunately |
| 4 |
documentation is a little thin on the ground. |
| 5 |
|
| 6 |
Theoretically, this should allow people to use mlock() without running |
| 7 |
suid root, however I cant verify it works :) |
| 8 |
|
| 9 |
looking through the source code, gpg needs the cap_ipc_lock+p capability |
| 10 |
for itself, but the calls to cap_set_proc() always fail, eg |
| 11 |
|
| 12 |
capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, }) = -1 EPERM (Operation not permitted) |
| 13 |
mlock(0x4aa8b000, 135185396) = -1 EPERM (Operation not permitted) |
| 14 |
capset(0x19980330, 0, {, CAP_IPC_LOCK, }) = -1 EPERM (Operation not permitted) |
| 15 |
|
| 16 |
which is from this code: |
| 17 |
|
| 18 |
cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); |
| 19 |
err = mlock( p, n ); |
| 20 |
if( err && errno ) |
| 21 |
err = errno; |
| 22 |
cap_set_proc( cap_from_text("cap_ipc_lock+p") ); |
| 23 |
|
| 24 |
So how do I enable this capability for non root processes? I read |
| 25 |
something that suggests I send a bitmask with the capability I want to |
| 26 |
the kernel.cap-bound sysctl, looking at capability.h that would be 14.. |
| 27 |
so 1111 1111 1111 1011... 0xfffbffff, right? |
| 28 |
|
| 29 |
It doesnt make a difference..any hints appreciated :) |
| 30 |
|
| 31 |
The currenlty masked gnupg-1.2.3-r3 supports the "caps" local USE flag, |
| 32 |
if anyone wants to take a look :) |
| 33 |
|
| 34 |
(please cc me on replies, not a subscriber) |
| 35 |
|
| 36 |
-- |
| 37 |
------------------------------------- |
| 38 |
taviso@××××××××××××.org | finger me for my gpg key. |
| 39 |
------------------------------------------------------- |
| 40 |
|
| 41 |
-- |
| 42 |
gentoo-hardened@g.o mailing list |
Archives