[systemd-bugs] [Bug 88898] New: drop_privileges fails with -EPERM

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=88898

            Bug ID: 88898
           Summary: drop_privileges fails with -EPERM
           Product: systemd
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: systemd-bugs at lists.freedesktop.org
          Reporter: mustrumr97 at gmail.com
        QA Contact: systemd-bugs at lists.freedesktop.org

systemd-resolved fails to start:
Failed to drop capabilities: Operation not permitted

Broken in f11943c53ec181829a821c6b27acf828bab71caa.

Drop all capabilities:
1. prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) // 0 when we drop all
capabilities
2. setresuid() // bye bye capabilities
3. Add CAP_SETPCAP // fails because we have no capabilities
4. Reduce capability bounding set
5. Drop capabilities
6. prctl(PR_SET_KEEPCAPS, 0)

Capabilites should always be kept after setresuid() so that the capability
bounding set can be reduced.

--- a/src/shared/capability.c
+++ b/src/shared/capability.c
@@ -249,7 +249,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t
keep_capabilities) {
                 return log_error_errno(errno, "Failed to drop auxiliary groups
list: %m");

         /* Ensure we keep the permitted caps across the setresuid(), if we
need them */
-        if (prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) < 0)
+        if (prctl(PR_SET_KEEPCAPS, 1) < 0)
                 return log_error_errno(errno, "Failed to enable keep
capabilities flag: %m");

         r = setresuid(uid, uid, uid);

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20150201/d11b9a7f/attachment.html>