From: Josh Triplett <josh@joshtriplett.org>
To: Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
mtk.manpages@gmail.com, linux-api@vger.kernel.org,
linux-man@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCHv2 manpages] getgroups.2: Document unprivileged setgroups calls
Date: Sat, 15 Nov 2014 13:03:02 -0800 [thread overview]
Message-ID: <20141115210302.GA22941@thin> (raw)
In-Reply-To: <3ccec8a13019b5e8ce7b1d7889677b778b070dc8.1416085112.git.josh@joshtriplett.org>
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
---
v2: Document requirement for no_new_privs.
(If this doesn't end up going into 3.18, the version number in the patch will
need updating.)
man2/getgroups.2 | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/man2/getgroups.2 b/man2/getgroups.2
index 373c204..3f3d330 100644
--- a/man2/getgroups.2
+++ b/man2/getgroups.2
@@ -81,9 +81,11 @@ to be used in a further call to
.PP
.BR setgroups ()
sets the supplementary group IDs for the calling process.
-Appropriate privileges (Linux: the
+As of Linux 3.18, any process that has enabled PR_SET_NO_NEW_PRIVS may drop
+supplementary groups, but may not add new groups. Adding groups, or making any
+change at all without no_new_privs enabled, requires the
.B CAP_SETGID
-capability) are required.
+capability.
The
.I size
argument specifies the number of supplementary group IDs
--
2.1.3
prev parent reply other threads:[~2014-11-15 21:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-15 21:02 [PATCHv2 1/2] groups: Factor out a function to set a pre-sorted group list Josh Triplett
2014-11-15 21:02 ` Josh Triplett
[not found] ` <3ccec8a13019b5e8ce7b1d7889677b778b070dc8.1416085112.git.josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>
2014-11-15 21:02 ` [PATCHv2 2/2] groups: Allow unprivileged processes to use setgroups to drop groups Josh Triplett
2014-11-15 21:02 ` Josh Triplett
2014-11-15 21:03 ` Josh Triplett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141115210302.GA22941@thin \
--to=josh@joshtriplett.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.