Add CAP_CHOWN to permitted capability set#12908
Add CAP_CHOWN to permitted capability set#12908bryancall wants to merge 2 commits intoapache:masterfrom
Conversation
Add CAP_CHOWN to the permitted capability set retained after privilege drop. This allows plugins that perform cert file backup writes to set root ownership on newly created files when certs are restricted to root:root 600. Like CAP_DAC_OVERRIDE, CAP_CHOWN is held in the permitted set only and must be explicitly promoted to the effective set before use. It is not active during normal operation.
There was a problem hiding this comment.
Pull request overview
This PR adds CAP_CHOWN to the permitted capability set to enable plugins to change file ownership, specifically to support TLS certificate management plugins that need to set root:root ownership on backup certificate files.
Changes:
- Added
CAP_CHOWNto theperm_listarray inRestrictCapabilities(), making it available in the permitted set (but not the effective set) after privilege drop
cmcfarlen
left a comment
cmcfarlen
left a comment
There was a problem hiding this comment.
Seems ok, but copilot raised some issue.
Add CHOWN_PRIVILEGE (0x10u) to the ElevateAccess privilege_level enum and wire up CAP_CHOWN in acquirePrivilege() so plugins can elevate file ownership capability through the standard ATS privilege API.
| ++cap_count; | ||
| } | ||
|
|
||
| ink_release_assert(cap_count <= sizeof(cap_list)); |
There was a problem hiding this comment.
The bounds-check assertion at line 471 compares cap_count (the number of capabilities, max 4) against sizeof(cap_list) (the byte size of the array, which is 4 * sizeof(cap_value_t) = 16 bytes on typical platforms). This means the assertion is effectively cap_count <= 16, which will never catch an actual out-of-bounds write. It should use the element count instead: cap_count <= sizeof(cap_list) / sizeof(cap_list[0]).
This PR brings cap_count up to a potential maximum of 4, exactly matching the array dimension, so the array is not overflowed now — but the guard is broken. Any future capability addition will silently overflow cap_list without the assertion firing.
| ink_release_assert(cap_count <= sizeof(cap_list)); | |
| ink_release_assert(cap_count <= sizeof(cap_list) / sizeof(cap_list[0])); |
| OWNER_PRIVILEGE = 0x8u ///< Bypass permission checks on operations that normally require | ||
| OWNER_PRIVILEGE = 0x8u, ///< Bypass permission checks on operations that normally require | ||
| /// filesystem UID & process UID to match | ||
| CHOWN_PRIVILEGE = 0x10u ///< Change file ownership |
There was a problem hiding this comment.
The CHOWN_PRIVILEGE entry is not aligned to the same column as the other enum values. All previous entries use column-aligned spacing before = to keep the values visually aligned (e.g., FILE_PRIVILEGE = 0x1u, OWNER_PRIVILEGE = 0x8u), but CHOWN_PRIVILEGE = 0x10u has only a single space before =, breaking the alignment pattern.
| CHOWN_PRIVILEGE = 0x10u ///< Change file ownership | |
| CHOWN_PRIVILEGE = 0x10u ///< Change file ownership |
Summary
Add
CAP_CHOWNto the permitted capability set retained byRestrictCapabilities()after the privilege drop from root to the unprivileged user.This enables plugins that manage TLS certificate files to set
root:rootownership on backup copies they write to disk, supporting deployments where cert files are restricted toroot:root 600insideroot:root 700directories.Changes
src/tscore/ink_cap.cc-- AddedCAP_CHOWNtoperm_listinRestrictCapabilities(). LikeCAP_DAC_OVERRIDEandCAP_FOWNER, it is retained in the permitted set only (not effective). A plugin must explicitly promote it to the effective set before use.Security Considerations
CAP_CHOWNallows changing file ownership. It follows the same security model asCAP_DAC_OVERRIDE(already retained): held in the permitted set but not in the effective set during normal operation. A plugin must use RAII-style elevation to briefly promote it, then drop it immediately after thefchown()call.Testing
Verified on Fedora 43 with libcap 2.76:
CAP_CHOWNappears inCapPrmbut notCapEffafter startupfchown()succeeds when the capability is elevated