-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.4
-
None
-
Important
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
Description of problem:
In RHEL 8.6 with the new libcap-2.48-2 , the capabilities are not displayed correctly from what is set.
When we assign capabilities to a binary file as per below where we set `+ep` , the getcap however returns the output as `=ep`
Current output.
~~~
- setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/bin/ls
- getcap /usr/bin/ls
/usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
~~~
Expected output is supposed to be as below
~~~
- getcap /usr/bin/ls
/usr/bin/ls cap_dac_read_search,cap_sys_ptrace+ep
~~~
We found that this issue is not seen with older version of libcap rpm i.e. `libcap-2.26-5.el8.x86_64` does not show this issue , while new version `libcap-2.48-2.el8.x86_64` does show this issue.
What we see is that , if I set capabilities with setcap with the new rpm installed I will see the wrong capabilities displayed with getcap, however just downgrading rpm (without changing any capabilities with setcap) shows correct output in getcap. The same is true vice versa i.e. the capabilities which is showing correct with the older rpm, on upgrade of libcap (without changing any capabilities with setcap) , we get wrong output in getcap for the same binary.
Due to this this feel like it is only an issue with how its displayed and not changing the actual capabilities because the filesystem attribute `security.capability` during the upgrade and downgrade of libcap for `/usr/bin/ls` is remaining the same.
~~~
- getfattr -m - --dump /usr/bin/ls
getfattr: Removing leading '/' from absolute path names - file: usr/bin/ls
security.capability=0sAQAAAgQACAAAAAAAAAAAAAAAAAA=
security.selinux="system_u:object_r:bin_t:s0"
~~~
Version-Release number of selected component (if applicable):
libcap-2.48-2.el8.x86_64
libcap-ng-0.7.11-1.el8.x86_64
libcap-devel-2.48-2.el8.x86_64
How reproducible:
Everytime
Steps to Reproduce:
1.No initial capabilities set
~~~
- getcap /usr/bin/ls
>> (No output)
~~~
2. Set the capabilities for "+ep" and verify that the command is successful.
~~~
- setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/bin/ls
- echo $?
0
~~~
3. We see that the getcap output show the capabilities as "=ep"
~~~
- getcap /usr/bin/ls
/usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
~~~
Actual results:
We see capabilities display wrong with "=ep"
~~~
- getcap /usr/bin/ls
/usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
~~~
Expected results:
We should see the "+ep" being display since we set it with setcap
~~~
- getcap /usr/bin/ls
/usr/bin/ls = cap_dac_read_search,cap_sys_ptrace+ep
~~~
Additional info: