diff options
author | Tom Gundersen <teg@jklm.no> | 2014-06-03 11:06:14 +0200 |
---|---|---|
committer | Tom Gundersen <teg@jklm.no> | 2014-06-03 11:35:29 +0200 |
commit | ed617ec21117874094ae7eeca978e2897da36ba5 (patch) | |
tree | b13a577add37a1972ae184716baf84992ac3880c /src/shared/capability.c | |
parent | 3d06f4183470d42361303086ed9dedd29c0ffc1b (diff) |
shared: allow drop_priviliges to drop all privs
Diffstat (limited to 'src/shared/capability.c')
-rw-r--r-- | src/shared/capability.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/src/shared/capability.c b/src/shared/capability.c index 69e054b1ff..58270ad8cc 100644 --- a/src/shared/capability.c +++ b/src/shared/capability.c @@ -214,10 +214,10 @@ int capability_bounding_set_drop_usermode(uint64_t drop) { return r; } -int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { _cleanup_cap_free_ cap_t d = NULL; - cap_value_t bits[sizeof(keep_capabilites)*8]; + cap_value_t bits[sizeof(keep_capabilities)*8]; unsigned i, j = 0; int r; @@ -254,7 +254,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { return -errno; } - r = capability_bounding_set_drop(~keep_capabilites, true); + r = capability_bounding_set_drop(~keep_capabilities, true); if (r < 0) { log_error("Failed to drop capabilities: %s", strerror(-r)); return r; @@ -264,14 +264,16 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { if (!d) return log_oom(); - for (i = 0; i < sizeof(keep_capabilites)*8; i++) - if (keep_capabilites & (1ULL << i)) + for (i = 0; i < sizeof(keep_capabilities)*8; i++) + if (keep_capabilities & (1ULL << i)) bits[j++] = i; - if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || - cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { - log_error("Failed to enable capabilities bits: %m"); - return -errno; + if (keep_capabilities) { + if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { + log_error("Failed to enable capabilities bits: %m"); + return -errno; + } } if (cap_set_proc(d) < 0) { |