continuing on the same.
My goal is to set some capabilities to process dynamically and then using setuid and setgid go to non root.
So that some of the capabilities can be still there to the process even after turns in to non root.
But it does not reflect in the cap_get_flag or /proc/<pid>/status in the CapEff.
below is the complete code
Code:
#include <stdio.h>
#include <sys/capability.h>
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
int main() {
cap_t caps,capsg;
cap_value_t cap_list[3];
cap_list[0] = CAP_SETUID;
cap_list[1] = CAP_SETGID;
cap_list[2] = CAP_NET_ADMIN;
caps = cap_get_proc();
if(caps != NULL) {
cap_set_flag(caps, CAP_EFFECTIVE, 3, cap_list, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, 3, cap_list, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 3, cap_list, CAP_SET);
cap_set_proc(caps);
} else {
syslog(LOG_DEBUG, "Cap_get_proc() failed");
}
if (caps == NULL) {
perror("cap_get_proc");
return 1;
}
if (!setgid(500)) {
printf("Success in setting Srvr to non root group: euid %d egid %d \n",geteuid(), getegid());
if (!setuid(2006)) {
printf("Success in setting Srvr to non root user :euid %d egid %d \n",geteuid(), getegid());
} else {
printf("Failure in setting Srvr back to root group after setuid failure :euid %d egid %d \n",geteuid(), getegid());
}
} else {
printf("Failure in setting Srvr to non root group,continuing with root user \n");
}
capsg = cap_get_proc();
cap_flag_value_t flag_value;
if (cap_get_flag(capsg, CAP_NET_ADMIN, CAP_EFFECTIVE, &flag_value) == -1) {
perror("cap_get_flag");
return 1;
}
if (flag_value == CAP_SET) {
printf("CAP_NET_BIND_SERVICE capability is set.\n");
} else {
printf("CAP_NET_BIND_SERVICE capability is not set.\n");
}
sleep(10000);
cap_free(caps);
cap_free(capsg);
return 0;
}
output:
Success in setting Srvr to non root group: euid 0 egid 500
Success in setting Srvr to non root user :euid 2006 egid 500
CAP_NET_BIND_SERVICE capability is not set.
Any pointers / leads will help me here.