From a476f62ccfe5dd534be3a3b085e32cecac4d7d13 Mon Sep 17 00:00:00 2001 From: Renzo Davoli Date: Sat, 16 Sep 2017 14:11:29 +0200 Subject: [PATCH] cado.conf:var enabled. execs changed the def value --- README.md | 2 +- read_conf.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b37d10..9e1abca 100644 --- a/README.md +++ b/README.md @@ -194,7 +194,7 @@ Unavailable ambient capabilities: 7 0000000000000080 cap_setuid cado: Permission denied ``` -It is possible to enable only the capability allowed by setting the -q option +It is possible to enable only the allowed capabilities by setting the -q option (with or without -v). Using -q cado does not fail. ``` $ cado -qv net_admin,kill,setuid bash diff --git a/read_conf.c b/read_conf.c index 3963cbd..1a793fd 100644 --- a/read_conf.c +++ b/read_conf.c @@ -61,6 +61,8 @@ static int drop_capabilities(void *useless) { uint64_t get_authorized_caps(char **user_groups, uint64_t reqset) { uint64_t ok_caps=0; FILE *f; + /* allow environment vars in execs commands */ + s2argv_getvar=getenv; /* cado.conf is not readble by users. Add the capability to do it */ if (user_groups) raise_cap_dac_read_search(); f=fopen(CADO_CONF, "r");