new paste || ipv4:js fail, n/a or broken? | ipv6:js fail, n/a or broken? ||

paste 10831/12f0 | 377 views since 2015-10-13 13:43:26 | text/plain | wrap || empty reply | copy reply | quote reply 
js:(
LOCAL STORAGE:
# namei -l /opt/home/sites/t/test/dir/structure/.htaccess
f: /opt/home/sites/t/test/dir/structure/.htaccess
drwxr-xr-x root      root                 /
drwxr-xr-x root      root                 opt
drwxr-xr-x root      root                 home
drwxr-xr-x root      root                 sites
drwxr-xr-x root      root                 t
drwx------ http-test http-linux_http-test test
drwx--x--x http-test http-linux_http-test dir
drwx------ http-test http-linux_http-test structure
-rw------- http-test http-linux_http-test .htaccess


NFS MOUNTED STORAGE: (server(NetApp):-sec=sys,rw=clientip,root=clientip  client(Linux):rw,vers=3,tcp,bg)
# namei -l /mnt/home/sites/t/test/dir/structure/.htaccess
f: /mnt/home/sites/t/test/dir/structure/.htaccess
drwxr-xr-x root      root                 /
drwxr-xr-x root      root                 mnt
drwxr-x--x root      root                 home
drwx--x--x root      root                 sites
drwx--x--x root      root                 t
drwx------ http-test http-linux_http-test test
drwx--x--x http-test http-linux_http-test dir
drwx------ http-test http-linux_http-test structure
-rw------- http-test http-linux_http-test .htaccess


# ./capset /opt/home/sites/t/test/dir/structure/.htaccess
euid:33 uid:33 egid:33 gid:33
Process capabilities: = cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice+ep;
Access: success!


# ./capset /mnt/home/sites/t/test/dir/structure/.htaccess
euid:33 uid:33 egid:33 gid:33
Process capabilities: = cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice+ep;
Access: error (13): Permission denied


# cat capset.c
//
// gcc -o capset capset.c -lcap
//
#include <sys/capability.h>
#include <sys/types.h>
#include <sys/prctl.h>

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>

#include <string.h>

int main(int argc, char **argv) {

    if (prctl(PR_SET_KEEPCAPS, 1)) {
        printf("prctl SET_KEEPCAPS 1 failed\n");
        exit(1);
    }

    setegid(33);
    setgid(33);
    setuid(33);
    seteuid(33);

    printf("euid:%d uid:%d egid:%d gid:%d\n", geteuid(), getuid(), getegid(), getgid());

    if (prctl(PR_SET_KEEPCAPS, 0)) {
        printf("prctl SET_KEEPCAPS 0 failed\n");
        exit(1);
    }

    cap_t caps;
    cap_value_t suidcaps[] = {
        CAP_SETUID,
        CAP_SETGID,
        CAP_DAC_READ_SEARCH,
        CAP_SYS_NICE,
    };

    caps = cap_init();
    cap_clear(caps);
    cap_set_flag(caps, CAP_PERMITTED, sizeof(suidcaps)/sizeof(cap_value_t), suidcaps, CAP_SET);
    cap_set_flag(caps, CAP_EFFECTIVE, sizeof(suidcaps)/sizeof(cap_value_t), suidcaps, CAP_SET);
    cap_set_proc(caps);
    cap_free(caps);

    caps = cap_get_proc();
    char *strcaps = cap_to_text(caps, NULL);
    printf("Process capabilities: %s;\nAccess:", strcaps);

    int fd;
    fd = open(argv[1], O_RDONLY);
    if (fd == -1) {
        printf(" error (%d): %s\n", errno, (char *)strerror(errno));
    } else {
        printf(" success!\n");
        close(fd);
    }

    exit(0);
}