* Capabilities question
@ 2003-02-27 18:38 Torsten Foertsch
0 siblings, 0 replies; only message in thread
From: Torsten Foertsch @ 2003-02-27 18:38 UTC (permalink / raw)
To: linux-kernel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
what is the right way to get the current capability setting inherited through
execve()?
My goal is a wrapper program that sets the needed capabilities and then
execve()s the real program. These capabilities should also be inherited if
the real program spawns childs via fork/exec.
Is that possible?
I read the appropriate parts of fs/exec.c where
/*
* This function is used to produce the new IDs and capabilities
* from the old ones and the file's capabilities.
*
* The formula used for evolving capabilities is:
*
* pI' = pI
* (***) pP' = (fP & X) | (fI & pI)
* pE' = pP' & fE [NB. fE is 0 or ~0]
*
* I=Inheritable, P=Permitted, E=Effective // p=process, f=file
* ' indicates post-exec(), and X is the global 'cap_bset'.
*
*/
is implemented. The problem is that fP and fE are either 0 or ~0 depending on
the current uid or the uid of the file to be executed (if S_ISUID). Thus pP'
is only masked by cap_bset which is a global constant (0xfffffeff).
Torsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+XlsbwicyCTir8T4RAjaaAJ9dU8E0YWy1fBnf6OdIX0wr7aQQ2gCgwObJ
aSAxVyLvV0n4MN4E84VVERg=
=YE3a
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-02-27 18:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-02-27 18:38 Capabilities question Torsten Foertsch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).