[systemd-bugs] [Bug 68434] New: CAP_SYS_MODULE cannot be dropped at boot

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=68434

          Priority: medium
            Bug ID: 68434
          Assignee: systemd-bugs at lists.freedesktop.org
           Summary: CAP_SYS_MODULE cannot be dropped at boot
        QA Contact: systemd-bugs at lists.freedesktop.org
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: matteo.sasso at gmail.com
          Hardware: All
            Status: NEW
           Version: unspecified
         Component: general
           Product: systemd

At boot, init drops its own capabilities and usermode helpers' according to the
CapabilityBoundingSet option in systemd/system.conf. Unfortunately, to modify
files in /proc/sys/kernel/usermodehelper you need CAP_SYS_MODULE: if you don't
include CAP_SYS_MODULE in the bounding set, boot fails with "Failed to drop
capability bounding set of usermode helpers".

I think being able to drop CAP_SYS_MODULE is one of the most useful uses of
that option. To fix this, capabilities should be dropped in reverse order:
first those of usermodehelper, then those of systemd's init.

It should be a trivial change to main.c (just search for the error message and
you'll see what I mean).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20130822/7891a848/attachment.html>