Is CAP_SYS_ADMIN checked by every program !?

[Tetsuo Handa]

  Hello.

I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
It seems to me that every program calls capable(CAP_SYS_ADMIN),
even for programs such as cat(1) sed(1) ls(1).
My environment is Fedora Core 3.

The following is the patch for checking.

----- Start of Patch -----
*** sched.h.org Sat Dec 25 06:33:59 2004
--- sched.h     Wed Dec 29 13:00:53 2004
***************
*** 870,875 ****
--- 870,882 ----
  #else
  static inline int capable(int cap)
  {
+       if (cap == CAP_SYS_ADMIN) {
+               static pid_t last_pid = 0;
+               if (current->pid != last_pid) {
+                       printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
lse", current->comm);
+                       last_pid = current->pid;
+               }
+       }
        if (cap_raised(current->cap_effective, cap)) {
                current->flags |= PF_SUPERPRIV;
                return 1;
----- End of Patch -----

Programs run as root always show "true", and run as non-root always show "false",
but it's will be OK.
I can't understand why every program checks for CAP_SYS_ADMIN .
With 2.4.28 and RedHat 9, no such behavior happens.

Is this normal behavior for 2.6 ?



I located .config at http://hp.vector.co.jp/authors/VA022513/tmp/config-2.6.10 .
(By the way, why not prepare ".config file keeper" like pgp.mit.edu ? I think it can save ML traffic. )



Regards.

-------
  Tetsuo Handa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/