Re: [RFC] [PATCH] capset returns -EPERM when pid==current->pid
From: Chris Wright
Date: Tue Jan 04 2005 - 15:55:16 EST
* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> In the current kernel/capability.c:sys_capset() code, permission is
> denied if CAP_SETPCAP is not held and pid is positive. pid=0 means use
> the current process, and this is allowed. But using the current
> process' pid is not allowed. The man page for capsetp simply says that
> CAP_SETPCAP is required to use this function, and does not mention the
> exception for pid=0.
>
> The current behavior seems inconsistent. The attached patch also
> allows a process to call capset() on itself. Does this seem reasonable?
Yes.
From: Serge E. Hallyn <serue@xxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxx>
Index: linux-2.6.10-mm1/kernel/capability.c
===================================================================
--- linux-2.6.10-mm1.orig/kernel/capability.c 2005-01-04 11:51:21.000000000 -0600
+++ linux-2.6.10-mm1/kernel/capability.c 2005-01-04 11:52:58.000000000 -0600
@@ -147,7 +147,7 @@ asmlinkage long sys_capset(cap_user_head
if (get_user(pid, &header->pid))
return -EFAULT;
- if (pid && !capable(CAP_SETPCAP))
+ if (pid && pid != current->pid && !capable(CAP_SETPCAP))
return -EPERM;
if (copy_from_user(&effective, &data->effective, sizeof(effective)) ||
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/