Re: Recycle semaphore?
  By: Digital Man to Va7aqd on Mon Apr 01 2019 04:14 pm

 > It sounds like you're missing some kernel module associated with
 > capabilities. Sorry, I don't know more than that (I didn't write this
 > portion of the code, Deuce did). I don't seem to have any modules with "cap"
 > in the name installed/running on my Debian systems, yet the capabilites work
 > fine.

OK, I think I have things sorted, but much of what was wrong seems to be with
the suggestions
in the documentation (and that's no complaint about the docs at all - there's
tons of great
info in the wiki).  Specifically, it looks like SBBS should be started as
root as it drops
privileges and runs as the user defined in ctrl/sbbs.ini appropriately.
However, in the wiki
docs, and I would point the finger mostly at the systemd page, which gives an
example with
systemd starting it as a non-root user & group.

Now I suspect it's possible to set some extra capabilities on the sbbs binary
to give it what
it needs, but it appears that "setcap 'cap_net_bind_service=ep'" isn't enough.
When doing an
strace on sbbs when starting (and complaining about it's inability to recycle),
it looks like
it's checking other capabilities (though I'm not familiar with granting
capabilities this way,
so I'm just guessing on what this means):

write(1, "Setting initial privileges\n", 27) = 27
capset({version=_LINUX_CAPABILITY_VERSION_1, pid=0}, {effective=1<<CAP_DAC_READ
_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_S
YS_RESOURCE, permitted=1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CA
P_NET_BIND_SERVICE|1<<CAP_SY
S_RESOURCE, inheritable=0}) = -1 EPERM (Operation not permitted)
write(1, "\r\rlinux_initialprivs() FAILED\n", 30) = 30

The only one the linux non-root user wiki page references is
cap_net_bind_service.

So, I was just working on doing things as securely as possible with the least
amount of
privileges, but really SBBS seems to do things like any smart system daemon
does - it starts
as root and drops down to user privileges so it can do things like run on
privileged ports
(without having to monkey around with specific capabilities settings on a
binary).

Thanks for all the assistance, I hope some of this pain is helpful.

---
 ■ Synchronet ■ VA7AQD's Tavern - bbs.isurf.ca
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)