>I'm constantly getting lost in the maze of rules, on what exactly
>happens on setuid() etc, but I know that setuid() resets the
>capabilities as well. What's the way of changing euid and suid back
>to ruid, and yet keeping some capabilities?
Plus, they keep changing as we try to strike the perfect balance between
logical, flexible architecture and compatibility with other kernels.
That setuid() to nonzero removes all capabilities in addition to its
essential function is a special case to ensure that old programs that mean
to drop privileges by setting uid nonzero still do so. Because it's an
exception and not architecture, no other part of the kernel should rely on
that for correctness.
As a practical matter, a process can use a prctl(SET_KEEPCAPS) system call
to indicate that it's aware that uids and capabilities have nothing to do
with each other, and thus a setuid() by that process doesn't do the
special case.
Note that another way a process can end up with capabilities but euid
nonzero is that another process did a capset() system call on it.
--
Bryan Henderson IBM Almaden Research Center
San Jose CA Filesystems
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
