Problem understanding cap_emulate_setxuid()

[Matthias Welwarsky <matthias.welwarsky@frontsite.de>]

Hi all,

I'm having certain difficulties to understand how cap_emulate_setxuid()
in kernel/sys.c is supposed to work. I have a program that needs
CAP_SYS_NICE in order to create realtime threads.

For security reasons, I don't want the program to run as the root user.
So, I initially start the program setuid-root, then set CAP_SYS_NICE,
then drop root privileges. In pseudo-C, the program looks like this:

prctl(PR_SET_KEEPCAPS, 1);
cap_set(CAP_SYS_NICE);
seteuid(getuid());

However, from looking at cap_emulate_setxuid() I learned that when
switching the effective uid != 0, current->cap_effective is cleared,
regardless the settings of current->keep_capabilities. Huh? How is this
supposed to work at all? It at least seems to be a little impractical.

When a program is started setuid-root, getuid() == real_user_id and
geteuid() == 0. So, how would I drop root privileges without switching
the effective user id away from 0? Is this a bug in
cap_emulate_setxuid() or am I missing something?

It seems that with the current implementation, cap_effective ==
cap_permitted is only true when the effective uid == 0? However, to
minimize security implications, I'd like the process to run with
real_uid == effective_uid so that e.g. plugins cannot switch the
effective uid back to 0 and do funny things on root-owned files.
Shouldn't this be possible with capabilities?

best regards,
    Matthias

--
Matthias Welwarsky
Fachschaft Informatik FH Darmstadt
Email: matze@stud.fbi.fh-darmstadt.de

"I bet the human brain is a kludge."
                -- Marvin Minsky