From ed617ec21117874094ae7eeca978e2897da36ba5 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Tue, 3 Jun 2014 11:06:14 +0200 Subject: [PATCH] shared: allow drop_priviliges to drop all privs --- src/shared/capability.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/shared/capability.c b/src/shared/capability.c index 69e054b1f..58270ad8c 100644 --- a/src/shared/capability.c +++ b/src/shared/capability.c @@ -214,10 +214,10 @@ int capability_bounding_set_drop_usermode(uint64_t drop) { return r; } -int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { _cleanup_cap_free_ cap_t d = NULL; - cap_value_t bits[sizeof(keep_capabilites)*8]; + cap_value_t bits[sizeof(keep_capabilities)*8]; unsigned i, j = 0; int r; @@ -254,7 +254,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { return -errno; } - r = capability_bounding_set_drop(~keep_capabilites, true); + r = capability_bounding_set_drop(~keep_capabilities, true); if (r < 0) { log_error("Failed to drop capabilities: %s", strerror(-r)); return r; @@ -264,14 +264,16 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { if (!d) return log_oom(); - for (i = 0; i < sizeof(keep_capabilites)*8; i++) - if (keep_capabilites & (1ULL << i)) + for (i = 0; i < sizeof(keep_capabilities)*8; i++) + if (keep_capabilities & (1ULL << i)) bits[j++] = i; - if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || - cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { - log_error("Failed to enable capabilities bits: %m"); - return -errno; + if (keep_capabilities) { + if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { + log_error("Failed to enable capabilities bits: %m"); + return -errno; + } } if (cap_set_proc(d) < 0) { -- 2.30.2