[apparmor] Apparmor: Query
Christian Boltz
apparmor at cboltz.de
Tue Aug 4 11:14:15 UTC 2020
Hello,
Am Dienstag, 4. August 2020, 05:02:30 CEST schrieb Murali Selvaraj:
> cat /etc/foo =================> Ensure this file belongs to root
> ls -ltr /etc/foo
> -rw-r--r-- 1 root root 8 Aug 3 20:31 /etc/foo
This means everybody can read (or cat) the file, therefore no
capabilities are needed.
Capabilities also won't help if a non-root user tries to read
-rw------- 1 root root 8 Aug 3 20:31 /etc/foo
because the file permissions won't allow this.
For a special case, see [1].
However, a process running as root will need the dac_override capability
to read
-rw------- 1 some_user users 8 Aug 3 20:31 /etc/foo
because the file permissions only allow some_user to read the file, but
not root (unless root has dac_override capabilities).
As a sidenote: you can find a description of all capabilities in
man 7 capabilities
Regards,
Christian Boltz
[1] You could set your /bin/cat to have the dac_override capability -
which is basically a partial suid bit. Something like this gets done
for /usr/bin/ping on openSUSE, which gets the net_raw capability
instead of a suid bit.
Technically "chkstat" does that (based on some permissions.* files)
but I have no idea if there's a command to set the capabilities for
a single binary.
--
I certainly expected the severity db to turn around and say "So, rule,
I've been asked to determine how severe you are. Why don't you tell me
a little about yourself? Do you like hugs, puppies, and long walks on
the beach?". [Steve Beattie in apparmor]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20200804/cf15dd4f/attachment.sig>
More information about the AppArmor
mailing list