RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-28 07:20:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

policycoreutils: newrole: do not drop capabilities when newrole is run as root

Browse Source 
If you run newrole as root and it drops capabilities, the next shell
script does not have any capabilities and can not function.

newrole -L TopSecret

Would end up with a root shell and no capabilities.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Dan Walsh 2011-10-04 08:33:41 -04:00 committed by Eric Paris
parent d46e88abb6
commit e23c73a167
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policycoreutils/newrole/newrole.c
View File

@ -543,14 +543,14 @@ static int restore_environment(int preserve_environment,
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
static int drop_capabilities(int full)
{
uid_t uid = getuid();
if (!uid) return 0;
capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0)
return -1;
uid_t uid = getuid();
if (!uid) return 0;
/* Change uid */
if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n"));