On Thursday, October 17, 2013 02:20:50 Al Viro wrote: > On Wed, Oct 16, 2013 at 06:18:16PM -0700, Eric W. Biederman wrote: > > That doesn't look bad but it does need capable(CAP_SETUID) && > > capable(CAP_SETGID) or possibly something a little more refined. > > D'oh > > > I don't think we want file descriptor passing to all of a sudden become > > a grant of privilege, beyond what the passed fd can do. > > Definitely. And an extra ) to make it compile wouldn't hurt either... Ok, I'll rework this, dropping the void arg etc. How about this: 1. have one arg, the fd, i.e. SYSCALL_DEFINE1(switch_cred, int, fd) 2. if the fd >=0 do the override in my "use the fd" variation. This would do the capability check after the valid fd check. This means that you must have privs to mess with privs. Returns 0 or either EBADF or EPERM 3. if the fd == -1 do the revert case. The reason for this is there are 4 syscalls needed to change the creds and each has an error return. We need a way to escape the damage and a revert to the real creds set is the best way to return to a known state. This does not require a capability check because all that can happen is to return to the immutable real set. Also, I don't need the initial open of /dev/null. Does this fit? Jim -- Jim Lieb Linux Systems Engineer Panasas Inc. "If ease of use was the only requirement, we would all be riding tricycles" - Douglas Engelbart 1925–2013 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html