• Zhi Li's avatar
    capabilities: do not grant full privs for setuid w/ file caps + no effective caps · 4d49f671
    Zhi Li authored
    A task (when !SECURE_NOROOT) which executes a setuid-root binary will
    obtain root privileges while executing that binary.  If the binary also
    has effective capabilities set, then only those capabilities will be
    granted.  The rationale is that the same binary can carry both setuid-root
    and the minimal file capability set, so that on a filesystem not
    supporting file caps the binary can still be executed with privilege,
    while on a filesystem supporting file caps it will run with minimal
    privilege.
    
    This special case currently does NOT happen if there are file capabilities
    but no effective capabilities.  Since capability-aware programs can very
    well start with empty pE but populated pP and move those caps to pE when
    needed.  In other words, if the file has file capabilities but NOT
    effective capabilities, then we should do the same thing as if there
    were file capabilities, and not grant full root privileges.
    
    This patchset does that.
    
    (Changelog by Serge Hallyn).
    Signed-off-by: default avatarZhi Li <lizhi1215@gmail.com>
    Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    4d49f671
commoncap.c 27.4 KB