Bug 1177715 - setpriv: libcap-ng is too old for "all" caps
setpriv: libcap-ng is too old for "all" caps
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Major (vote)
: ---
Assigned To: Stanislav Brabec
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-14 20:21 UTC by André Werlang
Modified: 2021-08-05 13:04 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description André Werlang 2020-10-14 20:21:48 UTC
setpriv doesn't recognize newer kernel capabilities (>=39)

$ setpriv --inh-caps=+all cat /proc/self/status
setpriv: libcap-ng is too old for "all" caps
$ uname -r
5.8.14-1-default
$ cat /proc/sys/kernel/cap_last_cap
39
$ ldd /usr/bin/setpriv
        linux-vdso.so.1 (0x00007ffcbaf89000)
        libcap-ng.so.0 => /usr/lib64/libcap-ng.so.0 (0x00007f28049d4000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f280480b000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2804a01000)

CAP_BPF (39) was added to libcap2 [https://build.opensuse.org/request/show/824647] but setpriv doesn't seem to depend on it, but libcap-ng0 instead which is outdated.
Comment 1 James Carter 2020-10-21 18:10:50 UTC
Mee tooo.  I just (2020-10-20) updated to kernel-default-5.8.14-1.2 and I
have libcap-ng0-0.7.10-1.16.x86_64 installed since 2020-09-01, and
unbound-1.12.0-1.1.x86_64 installed 2020-10-20.  Unbound won't start,
exuding the error message that the OP showed.  This kind of interferes
with normal operation of the host.  (I raised the bug's severity level to 
"Major".)  I had kernel 5.7.1-1-default available; reverting to that
"fixed" the problem.
Comment 2 James Carter 2020-11-05 05:51:56 UTC
In https://bugs.archlinux.org/task/67781 (2020-08-31) the 
developer describes what he did to fix it in Arch Linux.  

I just installed SuSE Tumbleweed on a new machine, and on boot it 
was complaining because of no local stub resolver (unbound) that 
could do DNSSEC.  I ended up installing 
kernel-default-5.3.18-lp152.47.2 from Leap 15.2 which "solved" the 
problem.
Comment 3 James Carter 2021-01-08 22:36:01 UTC
I made some progress on the "too old" issue.  

Versions: 
util-linux-2.35.1-2.3.x86_64 (for setpriv)
unbound-1.13.0-1.1.x86_64
libcap-ng0-0.7.10-1.16.x86_64
linux-glibc-devel-5.10-1.1.x86_64 (for /usr/include/linux/capability.h)
kernel-default-5.10.4-1.1.x86_64 (failing)
kernel-default-5.6.12-1.3.x86_64 (not failing)

Symptom: Running a recent kernel, you try to start unbound.  It drops
privileges by (I'm guessing here) re-execing itself using setpriv, and
it dies.  This message is found in /var/log/debug or systemctl status
unbound:
setpriv: libcap-ng is too old for "all" caps

I dug through the source code (from the .srpm), specifically 
/usr/src/packages/BUILD/util-linux-2.35.1/sys-utils/setpriv.c
./lib/caputils.c
/usr/include/linux/capability.h
/usr/src/linux-5.10.4-1/include/uapi/linux/capability.h 
See also: /proc/sys/kernel/cap_last_cap (value 40)

setpriv.c does: 
if (!strcmp(c + 1, "all")) {
    if (cap_last_cap() > CAP_LAST_CAP) {error message and die}
cap_last_cap() is defined in ./lib/caputils.c ; it reads
/proc/sys/kernel/cap_last_cap and caches the value for subsequent calls.
On kernel 5.10.4 there are 40 caps and all sources are up to date on
this; CAP_LAST_CAP is defined in /usr/include/linux/capability.h
I don't see why the code fails, but it does.  

On kernel 5.6.12 there are 37 caps and unbound starts up with no
complaints (despite the running kernel having fewer caps than 
/usr/include/linux/capability.h knows about, i.e. CAP_LAST_CAP == 40).
Unbound started failing in kernel 5.7.(early).  

Workaround: I installed the experimental util-linux-2.36 ; URL:
https://download.opensuse.org/repositories/Base:/System/openSUSE_Factory/x86_64/util-linux-2.36-440.127.x86_64.rpm
Unbound starts right up.  

So my request is, please expedite moving util-linux-2.36 to official 
status.  It seems to be SuSE policy to use unbound, and when it fails to
start, that really puts a crimp in uptake.
Comment 4 André Werlang 2021-02-24 01:35:31 UTC
Seems fixed.
Comment 5 James Carter 2021-02-24 19:45:40 UTC
Confirmed -- recently I got an update to util-linux-2.36.1-3.2.x86_64
(installed 2021-02-23).  Unbound starts up with no hassle.  Thank
you for moving out this new version.
Comment 6 Gilberto C. Andrade 2021-08-05 13:04:21 UTC
Same problem with openSUSE Leap 15.3, upgrading from 15.2:

```bash
gilberto.andrade@C430760:~$ setpriv --inh-caps=+all cat /proc/self/status
setpriv: aplicar capacidades: Operação não permitida

gilberto.andrade@C430760:~$ uname -a
Linux C430760 5.3.18-59.16-default #1 SMP Thu Jul 15 11:28:57 UTC 2021 (0b62bdb) x86_64 x86_64 x86_64 GNU/Linux

gilberto.andrade@C430760:~$ ldd /usr/bin/setpriv
        linux-vdso.so.1 (0x00007ffdaadc8000)
        libcap-ng.so.0 => /usr/lib64/libcap-ng.so.0 (0x00007fba04376000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fba03fa1000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fba04788000)

gilberto.andrade@C430760:~$ rpm -qa|grep util-linux
util-linux-lang-2.36.2-2.29.noarch
util-linux-2.36.2-2.29.x86_64
util-linux-systemd-2.36.2-2.1.x86_64


```

I don't know which util-linux version is appropriated.
Regards,
Gilberto