From: Vincent Bernat Date: Sat, 16 Jun 2018 15:59:32 +0000 (+0200) Subject: tests: request CAP_DAC_OVERRIDE X-Git-Tag: 1.0.2~16^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Ffeature%2Flinux-caps;p=thirdparty%2Flldpd.git tests: request CAP_DAC_OVERRIDE CAP_FOWNER is for being able to use chown/chmod. The permission we need to ignore permissions is CAP_DAC_OVERRIDE. It is quite a large permission, unfortunately. --- diff --git a/NEWS b/NEWS index a0881839..5c96aa61 100644 --- a/NEWS +++ b/NEWS @@ -1,9 +1,8 @@ lldpd (1.0.2) * Changes: + On Linux, the monitor process will now drop its privileges - instead of running as root. It will keep CAP_NET_RAW and - CAP_NET_ADMIN capabilities. When SNMP support is enabled, it may - also require CAP_FOWNER. + instead of running as root. It will keep CAP_NET_RAW, + CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. lldpd (1.0.1) * Fix: diff --git a/src/daemon/priv.c b/src/daemon/priv.c index 96a40729..2b28bbd6 100644 --- a/src/daemon/priv.c +++ b/src/daemon/priv.c @@ -630,10 +630,10 @@ priv_caps(uid_t uid, gid_t gid) #ifdef HAVE_LINUX_CAPABILITIES cap_t caps; const char *caps_strings[2] = { - "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", - "cap_fowner,cap_net_raw,cap_net_admin=pe" + "cap_dac_override,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", + "cap_dac_override,cap_net_raw,cap_net_admin=pe" }; - log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege"); + log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_DAC_OVERRIDE privilege"); if (!(caps = cap_from_text(caps_strings[0]))) fatal("privsep", "unable to convert caps"); if (cap_set_proc(caps) == -1) {