• S
    don't raise all privs on setuid-root file with fE set (v2) · b5f22a59
    Serge E. Hallyn 提交于
    Distributions face a backward compatibility problem with starting to use
    file capabilities.  For instance, removing setuid root from ping and
    doing setcap cap_net_raw=pe means that booting with an older kernel
    or one compiled without file capabilities means ping won't work for
    non-root users.
    
    In order to replace the setuid root bit on a capability-unaware
    program, one has to set the effective, or legacy, file capability,
    which makes the capability effective immediately.  This patch
    uses the legacy bit as a queue to not automatically add full
    privilege to a setuid-root program.
    
    So, with this patch, an ordinary setuid-root program will run with
    privilege.  But if /bin/ping has both setuid-root and cap_net_raw in
    fP and fE, then ping (when run by non-root user) will not run
    with only cap_net_raw.
    
    Changelog:
    	Apr 2 2009: Print a message once when such a binary is loaded,
    		as per James Morris' suggestion.
    	Apr 2 2009: Fix the condition to only catch uid!=0 && euid==0.
    Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
    Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: NJames Morris <jmorris@namei.org>
    b5f22a59
commoncap.c 27.0 KB