From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Lutomirski Subject: Re: [PATCH] capabilities: Ambient capability set V1 Date: Mon, 23 Feb 2015 15:51:33 -0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: Sender: linux-security-module-owner@vger.kernel.org To: Christoph Lameter Cc: Jarkko Sakkinen , Ted Ts'o , "linux-kernel@vger.kernel.org" , "Andrew G. Morgan" , Andrew Morton , LSM List , Michael Kerrisk , Linux API , Mimi Zohar , Austin S Hemmelgarn , Aaron Jones , Serge Hallyn , Markku Savela , Jonathan Corbet List-Id: linux-api@vger.kernel.org On Feb 23, 2015 8:41 AM, "Christoph Lameter" wrote: > > On Mon, 23 Feb 2015, Andy Lutomirski wrote: > > > If you set ambient caps and then run a setuid program (without > > no_new_privs), then the ambient set *must* be cleared by the kernel > > because that's what the setuid program expects. Yes, the whole > > Why would a setuid program expect that? I'd say we expect the ambient set > to remain in effect. What would break if the ambient set would stay > active? > On a total guess: exim, sendmail, sudo, Apache suexec, etc. Basically anything that expects setresuid(nonzero values); execve to drop caps. I haven't checked how many of the examples above actually do this. --Andy