search

the-tcpdump-group / tcpdump

the TCPdump network dissector
https://www.tcpdump.org/
Other
2.71k stars 845 forks source link

Different CapBnd with libcap-ng #982

Open mruprich opened 2 years ago

mruprich commented 2 years ago

Probably not a bug, I just wanted to ask this question. Having libcap-ng when building tcpdump means that when privileges are dropped, CapBnd are different than when libcap-ng is not in the system. Basically when using just initgroups and setgid and setuid, CapBnd are 000001ffffffffff, with libcap-ng are all zeroed out.

I am not sure whether I should expect both cases to have the same CapBnd or is it just that without libcap-ng it is much more complicated to drop the Bnd?

Thanks, Michal

infrastation commented 1 year ago

At a glance this difference does not immediately look out of place: if it was practicable to drop as many privileges without the library, it would likely be already done without the library. Of course, it would take a longer look into the documentation to tell with confidence.

mruprich commented 1 year ago

@infrastation Hi, thanks, so do I understand this correctly, that the situation with libcap-ng is actually better because more privileges are dropped and that is desirable?

infrastation commented 1 year ago

That's my understanding, although I cannot recall a use case that would require me to flex or to verify individual capabilities. @msekletar added support for libcap-ng 10 years ago in commit 19bb00a, it was refined a number of times since then.