Originally when a process set*uided all capabilities bits were cleared.
Then sometime later (wish BK went back 3 years), the behaviour was
modified according to the comment "A process may, via prctl(), elect to
keep its capabilites when it calls setuid() and switches away from
uid==0. Both permitted and effective sets will be retained."
The current behavior/implementation doesn't match the comment. Only
permitted capabilities are retained.
This patch against 2.4.18-3 (RHL7.3 kernel, should apply against stock)
fixes it. Now both permitted and effective capabilities are retained.
--- kernel/sys.c-org Wed May 8 01:20:37 2002
+++ kernel/sys.c Wed May 8 01:35:04 2002
@@ -482,7 +482,7 @@
cap_clear(current->cap_permitted);
cap_clear(current->cap_effective);
}
- if (old_euid == 0 && current->euid != 0) {
+ if ((old_euid == 0 && current->euid != 0) && !current->keep_capabilities) {
cap_clear(current->cap_effective);
}
if (old_euid != 0 && current->euid == 0) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue May 14 2002 - 12:00:08 EST