problem with CAP_NET_BIND_SERVICE
Posted: Wed Mar 02, 2005 10:18 pmHi,
I'm attempting the impossible by trying to secure a cPanel box with ACLs manually, and keep running into this problem:
grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/local/cpanel/bin/cppop[cppop:1342] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
I have allowed the binary (/usr/local/cpanel/bin/cppop) access to the CAP_NET_BIND_SERVICE with the following ACL:
subject /usr/local/cpanel/bin/cppop o
/ h
/dev/log rw
/dev/console rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/lilo.conf h
/lib rx
/proc h
/usr h
/usr/lib rx
/usr/sbin h
/usr/local/cpanel rx
/var/log rw
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_NET_BIND_SERVICE
+CAP_SETGID
+CAP_SETUID
Yet it keeps falling back to the 'default' role. Any ideas what I am doing wrong here?
cheers,
Campbell
I'm attempting the impossible by trying to secure a cPanel box with ACLs manually, and keep running into this problem:
grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/local/cpanel/bin/cppop[cppop:1342] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
I have allowed the binary (/usr/local/cpanel/bin/cppop) access to the CAP_NET_BIND_SERVICE with the following ACL:
subject /usr/local/cpanel/bin/cppop o
/ h
/dev/log rw
/dev/console rw
/etc r
/etc/ssh h
/etc/grsec h
/etc/shadow* h
/etc/lilo.conf h
/lib rx
/proc h
/usr h
/usr/lib rx
/usr/sbin h
/usr/local/cpanel rx
/var/log rw
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_NET_BIND_SERVICE
+CAP_SETGID
+CAP_SETUID
Yet it keeps falling back to the 'default' role. Any ideas what I am doing wrong here?
cheers,
Campbell