Re: disable-cap-mlock

[Andrew Morton]

Andrea Arcangeli <andrea@xxxxxxx> wrote:
>
> On Thu, Apr 01, 2004 at 05:59:14PM -0800, Chris Wright wrote:
> > * Andrew Morton (akpm@xxxxxxxx) wrote:
> > > Rumour has it that the more exhasperated among us are brewing up a patch to
> > > login.c which will allow capabilities to be retained after the setuid.  So
> > > you do
> > > 
> > > 	echo "oracle CAP_IPC_LOCK" > /etc/logincap.conf
> > > 
> > > And that's it.
> > > 
> > > See any reason why this won't work?
> > 
> > Looks ok, and sounds very similar to what pam_cap does.
> 
> just curious, how does this work through 'su'? Does su check
> logincap.conf too?

I guess so.

> I certainly agree this can be fully solved in userspace, though it won't
> be a few linear change in userspace and for the short term matter
> there's not much time left to change userspace. For the long term if we
> want to go with the userspace solution that's fine with me, I definitely
> agree with that.  For the very short term I'm not sure, but then I
> certainly cannot object if nothing is changed in the mainline kernel for
> this.

Well you have a local short-term solution...

One thing I was wondering was whether /proc/sys/vm/disable_cap_mlock should
hold a GID rather than a boolean.  So you do

	echo groupof oracle > /proc/sys/vm/disable_cap_mlock



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/