From 3136d7ab93debe8243d0ede280c706665ed05e29 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sat, 16 Jun 2018 17:59:32 +0200 Subject: [PATCH] tests: request CAP_DAC_OVERRIDE CAP_FOWNER is for being able to use chown/chmod. The permission we need to ignore permissions is CAP_DAC_OVERRIDE. It is quite a large permission, unfortunately. --- NEWS | 5 ++--- src/daemon/priv.c | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index a0881839..5c96aa61 100644 --- a/NEWS +++ b/NEWS @@ -1,9 +1,8 @@ lldpd (1.0.2) * Changes: + On Linux, the monitor process will now drop its privileges - instead of running as root. It will keep CAP_NET_RAW and - CAP_NET_ADMIN capabilities. When SNMP support is enabled, it may - also require CAP_FOWNER. + instead of running as root. It will keep CAP_NET_RAW, + CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. lldpd (1.0.1) * Fix: diff --git a/src/daemon/priv.c b/src/daemon/priv.c index 96a40729..2b28bbd6 100644 --- a/src/daemon/priv.c +++ b/src/daemon/priv.c @@ -630,10 +630,10 @@ priv_caps(uid_t uid, gid_t gid) #ifdef HAVE_LINUX_CAPABILITIES cap_t caps; const char *caps_strings[2] = { - "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", - "cap_fowner,cap_net_raw,cap_net_admin=pe" + "cap_dac_override,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", + "cap_dac_override,cap_net_raw,cap_net_admin=pe" }; - log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege"); + log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_DAC_OVERRIDE privilege"); if (!(caps = cap_from_text(caps_strings[0]))) fatal("privsep", "unable to convert caps"); if (cap_set_proc(caps) == -1) { -- 2.39.5