static int init_capabilities(void) { /* helper needs following capabilities only */ cap_value_t cap_list[] = { CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_SETGID, CAP_MKNOD, CAP_SETUID, }; return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 1); }
/* * from man 7 capabilities, section * Effect of User ID Changes on Capabilities: * 4. If the file system user ID is changed from 0 to nonzero (see setfsuid(2)) * then the following capabilities are cleared from the effective set: * CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, * CAP_LINUX_IMMUTABLE (since Linux 2.2.30), CAP_MAC_OVERRIDE, and CAP_MKNOD * (since Linux 2.2.30). If the file system UID is changed from nonzero to 0, * then any of these capabilities that are enabled in the permitted set * are enabled in the effective set. */ static int setfsugid(int uid, int gid) { /* * We still need DAC_OVERRIDE because we don't change * supplementary group ids, and hence may be subjected DAC rules */ cap_value_t cap_list[] = { CAP_DAC_OVERRIDE, }; setfsgid(gid); setfsuid(uid); if (uid != 0 || gid != 0) { return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0); } return 0; }
/* * from man 7 capabilities, section * Effect of User ID Changes on Capabilities: * If the effective user ID is changed from nonzero to 0, then the permitted * set is copied to the effective set. If the effective user ID is changed * from 0 to nonzero, then all capabilities are are cleared from the effective * set. * * The setfsuid/setfsgid man pages warn that changing the effective user ID may * expose the program to unwanted signals, but this is not true anymore: for an * unprivileged (without CAP_KILL) program to send a signal, the real or * effective user ID of the sending process must equal the real or saved user * ID of the target process. Even when dropping privileges, it is enough to * keep the saved UID to a "privileged" value and virtfs-proxy-helper won't * be exposed to signals. So just use setresuid/setresgid. */ static int setugid(int uid, int gid, int *suid, int *sgid) { int retval; /* * We still need DAC_OVERRIDE because we don't change * supplementary group ids, and hence may be subjected DAC rules */ cap_value_t cap_list[] = { CAP_DAC_OVERRIDE, }; *suid = geteuid(); *sgid = getegid(); if (setresgid(-1, gid, *sgid) == -1) { retval = -errno; goto err_out; } if (setresuid(-1, uid, *suid) == -1) { retval = -errno; goto err_sgid; } if (uid != 0 || gid != 0) { if (do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0) < 0) { retval = -errno; goto err_suid; } } return 0; err_suid: if (setresuid(-1, *suid, *suid) == -1) { abort(); } err_sgid: if (setresgid(-1, *sgid, *sgid) == -1) { abort(); } err_out: return retval; }