Re: [PATCH v3] kernel: Conditionally support non-root users, groups and capabilities

From: Geert Uytterhoeven
Date: Sun Feb 08 2015 - 04:05:41 EST

Hi Iulia,

On Fri, Feb 6, 2015 at 2:10 PM, Iulia Manda <iulia.manda21@xxxxxxxxx> wrote:
> On 6 February 2015 at 02:03, Iulia Manda <iulia.manda21@xxxxxxxxx> wrote:
>> There are a lot of embedded systems that run most or all of their functionality
>> in init, running as root:root. For these systems, supporting multiple users is
>> not necessary.
>> This patch adds a new symbol, CONFIG_MULTIUSER, that makes support for non-root
>> users, non-root groups, and capabilities optional. It is enabled under
>> When this symbol is not defined, UID and GID are zero in any possible case
>> and processes always have all capabilities.
>> The following syscalls are compiled out: setuid, setregid, setgid,
>> setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups,
>> setfsuid, setfsgid, capget, capset.
>> Also, groups.c is compiled out completely.
>> This change saves about 25 KB on a defconfig build.
>> The kernel was booted in Qemu. All the common functionalities work. Adding
>> users/groups is not possible, failing with -ENOSYS.
>> Bloat-o-meter output:
>> add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
> Forgot to add:
> Signed-off-by: Iulia Manda <iulia.manda21@xxxxxxxxx>
> Reviewed-by: Josh Triplett <josh@xxxxxxxxxxxxxxxx>
>> ---
>> Changes since v2:
>> - rename symbol;
>> - make SECURITY dependent on MULTIUSER
> + make symbols depend on MULTIUSER instead of selecting it.

Thanks for the update!

Acked-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>



Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at