From 4ecb90090c84210a8bd2a9d7a5906e616735873c Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 25 Jul 2008 01:48:32 -0700 Subject: sysctl: allow override of /proc/sys/net with CAP_NET_ADMIN Extend the permission check for networking sysctl's to allow modification when current process has CAP_NET_ADMIN capability and is not root. This version uses the until now unused permissions hook to override the mode value for /proc/sys/net if accessed by a user with capabilities. Found while working with Quagga. It is impossible to turn forwarding on/off through the command interface because Quagga uses secure coding practice of dropping privledges during initialization and only raising via capabilities when necessary. Since the dameon has reset real/effective uid after initialization, all attempts to access /proc/sys/net variables will fail. Signed-off-by: Stephen Hemminger Acked-by: "Eric W. Biederman" Cc: Chris Wright Cc: Alexey Dobriyan Cc: Andrew Morgan Cc: Pavel Emelyanov Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- net/sysctl_net.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'net') diff --git a/net/sysctl_net.c b/net/sysctl_net.c index 007c1a6708e..63ada437fc2 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -35,8 +35,22 @@ net_ctl_header_lookup(struct ctl_table_root *root, struct nsproxy *namespaces) return &namespaces->net_ns->sysctl_table_headers; } +/* Return standard mode bits for table entry. */ +static int net_ctl_permissions(struct ctl_table_root *root, + struct nsproxy *nsproxy, + struct ctl_table *table) +{ + /* Allow network administrator to have same access as root. */ + if (capable(CAP_NET_ADMIN)) { + int mode = (table->mode >> 6) & 7; + return (mode << 6) | (mode << 3) | mode; + } + return table->mode; +} + static struct ctl_table_root net_sysctl_root = { .lookup = net_ctl_header_lookup, + .permissions = net_ctl_permissions, }; static LIST_HEAD(net_sysctl_ro_tables); -- cgit v1.2.3