From: Timo Rothenpieler <timo@rothenpieler.org>
Date: Wed, 18 Jan 2023 14:24:28 +0000 (+0100)
Subject: Don't clear capability bounding set on capng_change_id
X-Git-Tag: v2.6.0~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99a098e13a427e72ade5ef2812b7ea342ea64aa6;p=thirdparty%2Fopenvpn.git

Don't clear capability bounding set on capng_change_id

The bounding set being empty will overpower the likes of su/sudo
and will make it impossible for any child processes to ever gain
additional privileges again.

Github: fixes OpenVPN/openvpn#220

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230118142428.162-1-timo@rothenpieler.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26048.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d8523119b95db55d2c101b8364ce7e9d0d0f6f3a)
---

diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 1b5fa9ad3..580c4cb8f 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -246,7 +246,7 @@ platform_user_group_set(const struct platform_state_user *user_state,
     /* Change to new UID/GID.
      * capng_change_id() internally calls capng_apply() to apply prepared capabilities.
      */
-    res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING);
+    res = capng_change_id(new_uid, new_gid, CAPNG_DROP_SUPP_GRP);
     if (res == -4 || res == -6)
     {
         /* -4 and -6 mean failure of setuid/gid respectively.