On Wed, Feb 25, 2015 at 02:25:19PM -0600, Christoph Lameter wrote: > On Wed, 25 Feb 2015, Serge Hallyn wrote: > > > Yeah we could make this > > Well doing that breaks su. Don't what exactly? You're saying that doing pI' = pI pA' = pA (pA is ambient) pP' = (X & fP) | (pI & (fI | pA)) pE' = pP' & (fE | pA) stopped su from having CAP_SETGID while pI' = pI pA' = pA (pA is ambient) pP' = (X & fP) | (pI & (fI | pA)) pE' = pP' & fE worked? I'll hope you're saying both "fail", in which case > Its best to leave perm bits untouched. > christoph@fujitsu-haswell:~$ su > setgid: Operation not permitted Did you initialize by running a program to fill your pI? -serge -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
