diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2011-05-15 16:29:44 +0200 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2011-05-15 16:29:44 +0200 |
commit | e8b89a610443f32b901801668cbae634e13f3e68 (patch) | |
tree | ee0f68cc90ad6df6c2d44fa8a9cca2fc449c0071 /sysdep/linux | |
parent | 1bc2695744c729804af32d48ce68854cba4de8f7 (diff) |
Update and document the privilege restriction.
Diffstat (limited to 'sysdep/linux')
-rw-r--r-- | sysdep/linux/syspriv.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h index bfe19ac3..b2cdde85 100644 --- a/sysdep/linux/syspriv.h +++ b/sysdep/linux/syspriv.h @@ -48,15 +48,20 @@ drop_uid(uid_t uid) CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW); + /* change effective user ID to be able to switch to that + user ID completely after dropping CAP_SETUID */ if (seteuid(uid) < 0) die("seteuid: %m"); + /* restrict the capabilities */ if (set_capabilities(caps) < 0) die("capset: %m"); + /* keep the capabilities after dropping root ID */ if (prctl(PR_SET_KEEPCAPS, 1) < 0) die("prctl: %m"); + /* completely switch to the unprivileged user ID */ if (setresuid(uid, uid, uid) < 0) die("setresuid: %m"); } |