Commit 4ecb9009 authored by Stephen Hemminger's avatar Stephen Hemminger Committed by Linus Torvalds
Browse files

sysctl: allow override of /proc/sys/net with CAP_NET_ADMIN 



Extend the permission check for networking sysctl's to allow modification
when current process has CAP_NET_ADMIN capability and is not root.  This
version uses the until now unused permissions hook to override the mode
value for /proc/sys/net if accessed by a user with capabilities.

Found while working with Quagga.  It is impossible to turn forwarding
on/off through the command interface because Quagga uses secure coding
practice of dropping privledges during initialization and only raising via
capabilities when necessary.  Since the dameon has reset real/effective
uid after initialization, all attempts to access /proc/sys/net variables
will fail.

Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
Acked-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morgan <morgan@kernel.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 99541c23

net/sysctl_net.c

+14 −0
Original line number Diff line number Diff line
@@ -35,8 +35,22 @@ net_ctl_header_lookup(struct ctl_table_root *root, struct nsproxy *namespaces) 
	return &namespaces->net_ns->sysctl_table_headers;

}



/* Return standard mode bits for table entry. */

static int net_ctl_permissions(struct ctl_table_root *root,

			       struct nsproxy *nsproxy,

			       struct ctl_table *table)

{

	/* Allow network administrator to have same access as root. */

	if (capable(CAP_NET_ADMIN)) {

		int mode = (table->mode >> 6) & 7;

		return (mode << 6) | (mode << 3) | mode;

	}

	return table->mode;

}



static struct ctl_table_root net_sysctl_root = {

	.lookup = net_ctl_header_lookup,

	.permissions = net_ctl_permissions,

};



static LIST_HEAD(net_sysctl_ro_tables);

CRA Git | Maintained and supported by SUSTech CRA and CCSE