Linux Capabilities Bounding Set Support #201

pull jrmithdobbs wants to merge 2 commits into bitcoin:master from jrmithdobbs:master changing 4 files +124 −2
  1. jrmithdobbs commented at 12:17 AM on May 8, 2011: contributor

    This addition adds a build-time option that's linux specific.

    It drops any capabilities assigned to the process at launch time (if it were launched as root, root loses all special meaning). It also removes all capabilities from the binding set and locks all options related to privilege escalation so that they may not be changed.

    For these options to work (if built) the binary must be setuid root (horrible) or setcap cap_setpcap+eip bitcoind; (awesome) It only needs this capability so that it can clear the bounding set which it does in main() of bitcoind very first thing. I am not sure where the code needs to go to make it function in bitcoin gui client?

    For more details make sure you have libcap2-dev install and: man 7 capabilities man 2 prctl

    The relevant sections of prctl(2) are: PR_CAPBSET_DROP and PR_SET_SECUREBITS.

    This patch will make it so that (barring issues in the posix11.e implementation in the kernel itself) any code execution vulnerabilities in the future will be unable to gain escalated privileges through the bitcoind process. Even by exec()'ing suid binaries and exploiting known issues with them.

  2. Add linux capabilities bounding set support. a0e26e0563
  3. Add linux capabilities bounding set support. c7e1ec7616
  4. jrmithdobbs commented at 12:26 AM on May 8, 2011: contributor

    Did not mean to commit that removal of USE_UPNP:=0 my bad.

  5. jrmithdobbs closed this on May 8, 2011
  6. dexX7 referenced this in commit 6f215a20b8 on Nov 24, 2014
  7. sipa referenced this in commit 9d09322b41 on Mar 27, 2015
  8. TheBlueMatt referenced this in commit 582b2934e6 on Oct 20, 2015
  9. kleetus referenced this in commit 803d69203a on Feb 5, 2016
  10. deadalnix referenced this in commit 932bc8da63 on Jan 4, 2017
  11. deadalnix referenced this in commit f0d851ee6a on Jan 19, 2017
  12. classesjack referenced this in commit 69d8723caf on Jan 2, 2018
  13. attilaaf referenced this in commit 523ca55734 on Jan 13, 2020
  14. jonasschnelli referenced this in commit 6c6140846f on Feb 5, 2021
  15. cryptapus referenced this in commit a5c464ec28 on May 3, 2021
  16. rajarshimaitra referenced this in commit 9c65e490bb on Aug 5, 2021
  17. DrahtBot locked this on Sep 8, 2021
Contributors
jrmithdobbs
Linked (view graph)
#25323 miniscript fuzzer failing after qa-assets update
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:16 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me