Hi all,
I'm having certain difficulties to understand how cap_emulate_setxuid()
in kernel/sys.c is supposed to work. I have a program that needs
CAP_SYS_NICE in order to create realtime threads.
For security reasons, I don't want the program to run as the root user.
So, I initially start the program setuid-root, then set CAP_SYS_NICE,
then drop root privileges. In pseudo-C, the program looks like this:
prctl(PR_SET_KEEPCAPS, 1);
cap_set(CAP_SYS_NICE);
seteuid(getuid());
However, from looking at cap_emulate_setxuid() I learned that when
switching the effective uid != 0, current->cap_effective is cleared,
regardless the settings of current->keep_capabilities. Huh? How is this
supposed to work at all? It at least seems to be a little impractical.
When a program is started setuid-root, getuid() == real_user_id and
geteuid() == 0. So, how would I drop root privileges without switching
the effective user id away from 0? Is this a bug in
cap_emulate_setxuid() or am I missing something?
It seems that with the current implementation, cap_effective ==
cap_permitted is only true when the effective uid == 0? However, to
minimize security implications, I'd like the process to run with
real_uid == effective_uid so that e.g. plugins cannot switch the
effective uid back to 0 and do funny things on root-owned files.
Shouldn't this be possible with capabilities?
best regards,
Matthias
-- Matthias Welwarsky Fachschaft Informatik FH Darmstadt Email: matze@stud.fbi.fh-darmstadt.de"I bet the human brain is a kludge." -- Marvin Minsky - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Oct 07 2001 - 21:00:37 EST