On 11/23/2012 08:23 PM, Andy Lutomirski wrote:
--- I'm not 100% sure this is appropriate for util-linux, but it seems useful. I've never written new programs for util-linux before, and I barely understand autotools. Feedback is welcome :) +no_new_privs \- run program with new_new_privs set
+Sets the \fIno_new_privs\fP bit and then executes specified program. With +this bit set, +.BR execve (2) +will not grant new privileges. For example, the setuid +and setgid bits as well as file capabilities will not function. This bit +is inherited by child processes and cannot be unset. See +.BR prctl (2) +and +.IR Documentation/prctl/no_new_privs.txt +in the Linux kernel source.
Seems very useful but a bit low level for a user command. How about a prctl(1) command or equivalent, that could accept that among other options to set. I also notice the similar capsh(1) program for doing so with capabilities. Perhaps these could be merged to a setpriv(1) command or something for tweaking all these knobs before exec? cheers, Pádraig. -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
