summaryrefslogtreecommitdiff
path: root/sysdep/linux/syspriv.h
diff options
context:
space:
mode:
Diffstat (limited to 'sysdep/linux/syspriv.h')
-rw-r--r--sysdep/linux/syspriv.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h
index bfe19ac3..b2cdde85 100644
--- a/sysdep/linux/syspriv.h
+++ b/sysdep/linux/syspriv.h
@@ -48,15 +48,20 @@ drop_uid(uid_t uid)
CAP_TO_MASK(CAP_NET_ADMIN) |
CAP_TO_MASK(CAP_NET_RAW);
+ /* change effective user ID to be able to switch to that
+ user ID completely after dropping CAP_SETUID */
if (seteuid(uid) < 0)
die("seteuid: %m");
+ /* restrict the capabilities */
if (set_capabilities(caps) < 0)
die("capset: %m");
+ /* keep the capabilities after dropping root ID */
if (prctl(PR_SET_KEEPCAPS, 1) < 0)
die("prctl: %m");
+ /* completely switch to the unprivileged user ID */
if (setresuid(uid, uid, uid) < 0)
die("setresuid: %m");
}