kern/185384: [libcapsicum] cap_init(3) doesn't work in multiuser environment

Wed Jan 1 06:20:00 UTC 2014

>Number:         185384
>Category:       kern
>Synopsis:       [libcapsicum] cap_init(3) doesn't work in multiuser environment
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 01 06:20:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Jan Beich
>Release:        
>Organization:
>Environment:
>Description:
While r259581 enabled casperd(8) by default the socket it creates is
owned by root and cannot be written to by anyone else. An existing
consumer that tries to contact it via cap_init(3) under non-root would
fail with a warning like

  tcpdump: WARNING: unable to contact casperd

However, casperd(8) manpage hints -S and -P options can be used to
start the daemon with non-default paths. This doesn't seem to work as
expected because cap_init(3) hardcodes CASPER_SOCKPATH.

>How-To-Repeat:
$ ktrace ls >/dev/null
$ kdump -r >/dev/null
kdump: unable to contact casperd: Permission denied

$ sudo tcpdump -w foo -i my0
$ tcpdump -r foo >/dev/null
reading from file foo, link-type EN10MB (Ethernet)
tcpdump: WARNING: unable to contact casperd
^C

$ ps lwp $(pgrep casper)
UID PID PPID CPU PRI NI   VSZ  RSS MWCHAN STAT TT     TIME COMMAND
  0 851    1   0  20  0 22788 1988 select Is    -  0:00.00 /sbin/casperd
  0 850    1   0  20  0 22788 1984 select I    v0- 0:00.00 casperd: zygote (casperd)

>Fix:
A trivial workaround for use after login

  # put into ~/.profile or /etc/profile
  : ${CASPERD_DIR:=/tmp/casperd-$(id -u)}

  mkdir -p $CASPERD_DIR
  casperd -P $CASPERD_DIR/default.pid -S $CASPERD_DIR/default.socket
  export CASPER_SOCKPATH=$CASPERD_DIR/default.socket

--- getenv_sockpath.diff begins here ---
Index: lib/libcapsicum/libcapsicum.3
===================================================================
--- lib/libcapsicum/libcapsicum.3	(revision 260159)
+++ lib/libcapsicum/libcapsicum.3	(working copy)
@@ -218,6 +218,16 @@ The
 and
 .Fn cap_unwrap
 functions always succeed.
+.Sh ENVIRONMENT
+.Bl -tag -width ".Ev CASPER_SOCKPATH"
+.It Ev CASPER_SOCKPATH
+Specifies the path to
+.Xr unix 4
+domain socket used to communicate with the
+.Xr casperd 8
+daemon. If not set,
+.Pa /var/run/casper
+is used.
 .Sh EXAMPLES
 The following example first opens capability to the
 .Xr casperd 8
Index: lib/libcapsicum/libcapsicum.c
===================================================================
--- lib/libcapsicum/libcapsicum.c	(revision 260159)
+++ lib/libcapsicum/libcapsicum.c	(working copy)
@@ -76,7 +76,7 @@ cap_init(void)
 
 	bzero(&sun, sizeof(sun));
 	sun.sun_family = AF_UNIX;
-	strlcpy(sun.sun_path, CASPER_SOCKPATH, sizeof(sun.sun_path));
+	strlcpy(sun.sun_path, getenv("CASPER_SOCKPATH") ? : CASPER_SOCKPATH, sizeof(sun.sun_path));
 	sun.sun_len = SUN_LEN(&sun);
 
 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
--- getenv_sockpath.diff ends here ---

Alternatively, casperd(8) can be run under a dedicated user/group
with only one instance.


>Release-Note:
>Audit-Trail:
>Unformatted:
