On Thu, 2013-02-07 at 12:09 +0100, David Henningsson wrote:
> On 12/16/2012 09:38 AM, Tanu Kaskinen wrote:
> > Does someone want to review this?
> >
> >
> > On Thu, 2012-04-05 at 15:37 +0300, Tanu Kaskinen wrote:
> >> Capability dropping when changing the user in the system
> >> mode was previously implemented by calling
> >> prctl(PR_SET_KEEPCAPS, 0), but that doesn't necessarily
> >> work. It's possible that the KEEPCAPS flag is locked to 1,
> >> in which case the prctl() call fails with EPERM (this
> >> happens at least on Harmattan). This patch implements
> >> explicit capability dropping after changing the user.
> >> ---
> >> src/daemon/caps.c | 27 +++++++++++++--------------
> >> src/daemon/caps.h | 2 ++
> >> src/daemon/main.c | 4 +++-
> >> 3 files changed, 18 insertions(+), 15 deletions(-)
> >>
> >> diff --git a/src/daemon/caps.c b/src/daemon/caps.c
> >> index 3759388..36b76a9 100644
> >> --- a/src/daemon/caps.c
> >> +++ b/src/daemon/caps.c
> >> @@ -36,10 +36,6 @@
> >> #include <sys/capability.h>
> >> #endif
> >>
> >> -#ifdef HAVE_SYS_PRCTL_H
> >> -#include <sys/prctl.h>
> >> -#endif
> >> -
> >> #include "caps.h"
> >>
> >> /* Glibc <= 2.2 has broken unistd.h */
> >> @@ -78,17 +74,20 @@ void pa_drop_root(void) {
> >> pa_assert_se(getegid() == gid);
> >> #endif
> >>
> >> -#ifdef HAVE_SYS_PRCTL_H
> >> - pa_assert_se(prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == 0);
> >> -#endif
> >> + if (uid != 0)
> >> + pa_drop_caps();
>
> Why should caps not be dropped if uid == 0?
(The same check was there even before this patch.) I guess the reason
why the caps are not dropped when running as root is because this
function is called before switching to the pulse user in the system
mode. If the caps were dropped here, switching the user would not be
possible. The caps are dropped later (in change_user() in main.c) also
for root, when running in the system mode. There is one case where the
caps are never dropped: when running in the user mode as root.
--
Tanu
