Re: [PATCH PLACEHOLDER 1/3] fs/exec: "always_unprivileged" patch

[Linus Torvalds]

On Thu, Jan 12, 2012 at 4:42 PM, Andrew Lutomirski <luto@xxxxxxx> wrote:
>
> That may prevent another use: set this new flag, chroot, drop
> privileges, accept network connections.  (The idea being that chroot
> might work unprivileged if this flag is set.)

Well, if you have privileges, then just do

   chroot();
   drop privileges

and if you depend on the new flag, then you do

   drop privileges
   set new flag
   chroot

and if you want to work either way then you just do

   error = chroot
   drop privileges
   set new flag
   if error
      chroot

which does the right thing regardless of whether you had privileges
and/or a new kernel or not.

In any of the three cases I don't see why you'd ever want to drop
privileges *after* setting the new flag.

                   Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/