Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1840

[RHEL 8.6] libcap does not correctly display the capabilities.

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • libcap
    • None
    • Important
    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      In RHEL 8.6 with the new libcap-2.48-2 , the capabilities are not displayed correctly from what is set.

      When we assign capabilities to a binary file as per below where we set `+ep` , the getcap however returns the output as `=ep`

      Current output.
      ~~~

      1. setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/bin/ls
      2. getcap /usr/bin/ls
        /usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
        ~~~

      Expected output is supposed to be as below
      ~~~

      1. getcap /usr/bin/ls
        /usr/bin/ls cap_dac_read_search,cap_sys_ptrace+ep
        ~~~

      We found that this issue is not seen with older version of libcap rpm i.e. `libcap-2.26-5.el8.x86_64` does not show this issue , while new version `libcap-2.48-2.el8.x86_64` does show this issue.

      What we see is that , if I set capabilities with setcap with the new rpm installed I will see the wrong capabilities displayed with getcap, however just downgrading rpm (without changing any capabilities with setcap) shows correct output in getcap. The same is true vice versa i.e. the capabilities which is showing correct with the older rpm, on upgrade of libcap (without changing any capabilities with setcap) , we get wrong output in getcap for the same binary.

      Due to this this feel like it is only an issue with how its displayed and not changing the actual capabilities because the filesystem attribute `security.capability` during the upgrade and downgrade of libcap for `/usr/bin/ls` is remaining the same.

      ~~~

      1. getfattr -m - --dump /usr/bin/ls
        getfattr: Removing leading '/' from absolute path names
      2. file: usr/bin/ls
        security.capability=0sAQAAAgQACAAAAAAAAAAAAAAAAAA=
        security.selinux="system_u:object_r:bin_t:s0"
        ~~~

      Version-Release number of selected component (if applicable):

      libcap-2.48-2.el8.x86_64
      libcap-ng-0.7.11-1.el8.x86_64
      libcap-devel-2.48-2.el8.x86_64

      How reproducible:
      Everytime

      Steps to Reproduce:
      1.No initial capabilities set
      ~~~

      1. getcap /usr/bin/ls
        >> (No output)
        ~~~

      2. Set the capabilities for "+ep" and verify that the command is successful.
      ~~~

      1. setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/bin/ls
      2. echo $?
        0
        ~~~

      3. We see that the getcap output show the capabilities as "=ep"
      ~~~

      1. getcap /usr/bin/ls
        /usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
        ~~~

      Actual results:
      We see capabilities display wrong with "=ep"
      ~~~

      1. getcap /usr/bin/ls
        /usr/bin/ls cap_dac_read_search,cap_sys_ptrace=ep
        ~~~

      Expected results:
      We should see the "+ep" being display since we set it with setcap
      ~~~

      1. getcap /usr/bin/ls
        /usr/bin/ls = cap_dac_read_search,cap_sys_ptrace+ep
        ~~~

      Additional info:

              ansasaki@redhat.com Anderson Sasaki
              rhn-support-amepatil Ameya Patil
              Anderson Sasaki Anderson Sasaki
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: