<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - drop_privileges fails with -EPERM"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=88898">88898</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>drop_privileges fails with -EPERM
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mustrumr97@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>systemd-resolved fails to start:
Failed to drop capabilities: Operation not permitted

Broken in f11943c53ec181829a821c6b27acf828bab71caa.

Drop all capabilities:
1. prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) // 0 when we drop all
capabilities
2. setresuid() // bye bye capabilities
3. Add CAP_SETPCAP // fails because we have no capabilities
4. Reduce capability bounding set
5. Drop capabilities
6. prctl(PR_SET_KEEPCAPS, 0)

Capabilites should always be kept after setresuid() so that the capability
bounding set can be reduced.

--- a/src/shared/capability.c
+++ b/src/shared/capability.c
@@ -249,7 +249,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t
keep_capabilities) {
                 return log_error_errno(errno, "Failed to drop auxiliary groups
list: %m");

         /* Ensure we keep the permitted caps across the setresuid(), if we
need them */
-        if (prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) < 0)
+        if (prctl(PR_SET_KEEPCAPS, 1) < 0)
                 return log_error_errno(errno, "Failed to enable keep
capabilities flag: %m");

         r = setresuid(uid, uid, uid);</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>