tests: request CAP_DAC_OVERRIDE

CAP_FOWNER is for being able to use chown/chmod. The permission we
need to ignore permissions is CAP_DAC_OVERRIDE. It is quite a large
permission, unfortunately.

diff --git a/NEWS b/NEWS
index a08818398ed88cab829d3954603cc35ac75acd65..5c96aa612925c1bd7e62f60267ee2277d7b80c7b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,9 +1,8 @@
 lldpd (1.0.2)
   * Changes:
     + On Linux, the monitor process will now drop its privileges
-      instead of running as root. It will keep CAP_NET_RAW and
-      CAP_NET_ADMIN capabilities. When SNMP support is enabled, it may
-      also require CAP_FOWNER.
+      instead of running as root. It will keep CAP_NET_RAW,
+      CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities.
 
 lldpd (1.0.1)
   * Fix:

diff --git a/src/daemon/priv.c b/src/daemon/priv.c
index 96a40729bf255faa4c6119a73459b8cea5aee488..2b28bbd6947455af8d3414e8b0b6e793c5562bfb 100644 (file)
--- a/src/daemon/priv.c
+++ b/src/daemon/priv.c
@@ -630,10 +630,10 @@ priv_caps(uid_t uid, gid_t gid)
 #ifdef HAVE_LINUX_CAPABILITIES
        cap_t caps;
        const char *caps_strings[2] = {
-               "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe",
-               "cap_fowner,cap_net_raw,cap_net_admin=pe"
+               "cap_dac_override,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe",
+               "cap_dac_override,cap_net_raw,cap_net_admin=pe"
        };
-       log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege");
+       log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_DAC_OVERRIDE privilege");
        if (!(caps = cap_from_text(caps_strings[0])))
                fatal("privsep", "unable to convert caps");
        if (cap_set_proc(caps) == -1) {