diff options
author | Stephen Hemminger <shemminger@vyatta.com> | 2008-07-25 04:48:32 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-25 13:53:45 -0400 |
commit | 4ecb90090c84210a8bd2a9d7a5906e616735873c (patch) | |
tree | a7baec8859ff9750296be318400ba4475eb40b6c | |
parent | 99541c23cd32bacf1a591ca537a7c0cb9053ad7e (diff) |
sysctl: allow override of /proc/sys/net with CAP_NET_ADMIN
Extend the permission check for networking sysctl's to allow modification
when current process has CAP_NET_ADMIN capability and is not root. This
version uses the until now unused permissions hook to override the mode
value for /proc/sys/net if accessed by a user with capabilities.
Found while working with Quagga. It is impossible to turn forwarding
on/off through the command interface because Quagga uses secure coding
practice of dropping privledges during initialization and only raising via
capabilities when necessary. Since the dameon has reset real/effective
uid after initialization, all attempts to access /proc/sys/net variables
will fail.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morgan <morgan@kernel.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | net/sysctl_net.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/net/sysctl_net.c b/net/sysctl_net.c index 007c1a6708ee..63ada437fc2f 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c | |||
@@ -35,8 +35,22 @@ net_ctl_header_lookup(struct ctl_table_root *root, struct nsproxy *namespaces) | |||
35 | return &namespaces->net_ns->sysctl_table_headers; | 35 | return &namespaces->net_ns->sysctl_table_headers; |
36 | } | 36 | } |
37 | 37 | ||
38 | /* Return standard mode bits for table entry. */ | ||
39 | static int net_ctl_permissions(struct ctl_table_root *root, | ||
40 | struct nsproxy *nsproxy, | ||
41 | struct ctl_table *table) | ||
42 | { | ||
43 | /* Allow network administrator to have same access as root. */ | ||
44 | if (capable(CAP_NET_ADMIN)) { | ||
45 | int mode = (table->mode >> 6) & 7; | ||
46 | return (mode << 6) | (mode << 3) | mode; | ||
47 | } | ||
48 | return table->mode; | ||
49 | } | ||
50 | |||
38 | static struct ctl_table_root net_sysctl_root = { | 51 | static struct ctl_table_root net_sysctl_root = { |
39 | .lookup = net_ctl_header_lookup, | 52 | .lookup = net_ctl_header_lookup, |
53 | .permissions = net_ctl_permissions, | ||
40 | }; | 54 | }; |
41 | 55 | ||
42 | static LIST_HEAD(net_sysctl_ro_tables); | 56 | static LIST_HEAD(net_sysctl_ro_tables); |