Re: Linux capabilities shouldn't be lost during setuid to non-rootfrom root or to another non-root uid from a non-root uid.

[Serge E. Hallyn]

Quoting crocket (crockabiscuit@xxxxxxxxx):
> I have several questions.
> 
> 1) How do I set SECBIT_NO_SETUID_FIXUP?

prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED)

see capabilities(7) for details.

> 2) Is there any reason to unset SECBIT_NO_SETUID_FIXUP by default?

Yes, because it's what userspace expects.  If you prefer to run in
a full POSIX capabilities environment with unprivileged root, you
can have init set SECBIT_NO_SETUID_FIXUP and SECBIT_NOROOT and
tune userspace to do the right thing, but it's not trivial.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/