Skip to content

Add CAP_CHOWN to permitted capability set#12908

Open
bryancall wants to merge 4 commits intoapache:masterfrom
bryancall:add-cap-chown-to-permitted
Open

Add CAP_CHOWN to permitted capability set#12908
bryancall wants to merge 4 commits intoapache:masterfrom
bryancall:add-cap-chown-to-permitted

Conversation

@bryancall
Copy link
Contributor

@bryancall bryancall commented Feb 23, 2026

Summary

Add CAP_CHOWN to the permitted capability set retained by RestrictCapabilities() after the privilege drop from root to the unprivileged user.

This enables plugins that manage TLS certificate files to set root:root ownership on backup copies they write to disk, supporting deployments where cert files are restricted to root:root 600 inside root:root 700 directories.

Changes

  • src/tscore/ink_cap.cc -- Added CAP_CHOWN to perm_list in RestrictCapabilities(). Like CAP_DAC_OVERRIDE and CAP_FOWNER, it is retained in the permitted set only (not effective). A plugin must explicitly promote it to the effective set before use.

Security Considerations

CAP_CHOWN allows changing file ownership. It follows the same security model as CAP_DAC_OVERRIDE (already retained): held in the permitted set but not in the effective set during normal operation. A plugin must use RAII-style elevation to briefly promote it, then drop it immediately after the fchown() call.

Testing

Verified on Fedora 43 with libcap 2.76:

  • CAP_CHOWN appears in CapPrm but not CapEff after startup
  • fchown() succeeds when the capability is elevated
  • No change to steady-state behavior

@bryancall
Add CAP_CHOWN to permitted capability set
ee4c5d4 
Add CAP_CHOWN to the permitted capability set retained after privilege
drop. This allows plugins that perform cert file backup writes to set
root ownership on newly created files when certs are restricted to
root:root 600.

Like CAP_DAC_OVERRIDE, CAP_CHOWN is held in the permitted set only and
must be explicitly promoted to the effective set before use. It is not
active during normal operation.
@bryancall bryancall added this to the 10.2.0 milestone Feb 23, 2026
@bryancall bryancall self-assigned this Feb 23, 2026
@bryancall bryancall modified the milestones: 10.2.0, 11.0.0 Feb 23, 2026
@bryancall bryancall requested a review from Copilot February 23, 2026 21:30
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds CAP_CHOWN to the permitted capability set to enable plugins to change file ownership, specifically to support TLS certificate management plugins that need to set root:root ownership on backup certificate files.

Changes:

  • Added CAP_CHOWN to the perm_list array in RestrictCapabilities(), making it available in the permitted set (but not the effective set) after privilege drop

cmcfarlen
cmcfarlen previously approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@cmcfarlen cmcfarlen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems ok, but copilot raised some issue.

@bryancall
Add CHOWN_PRIVILEGE to ElevateAccess
8bf8f83 
Add CHOWN_PRIVILEGE (0x10u) to the ElevateAccess privilege_level enum
and wire up CAP_CHOWN in acquirePrivilege() so plugins can elevate
file ownership capability through the standard ATS privilege API.
@bryancall bryancall requested a review from Copilot March 3, 2026 16:36
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

@bryancall
Fix bounds-check assertion in acquirePrivilege()
9518296 
The assertion compared cap_count against sizeof(cap_list) which
returns the byte size (16), not the element count (4). This could
never catch an actual array overflow.
@bryancall
Simplify OWNER_PRIVILEGE comment to single line
30c86c7 
Replace the two-line comment with a concise description that
covers the full scope of CAP_FOWNER, not just chmod.
@bryancall bryancall requested a review from Copilot March 12, 2026 23:00
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

You can also share your feedback on Copilot code review. Take the survey.

@bryancall
Copy link
Contributor Author

bryancall commented Mar 12, 2026

[approve ci centos]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cmcfarlen cmcfarlen Awaiting requested review from cmcfarlen

At least 1 approving review is required to merge this pull request.

Assignees

@bryancall bryancall

Labels

None yet

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@bryancall @cmcfarlen