Don't set capabilities when not switching user

diff --git a/ucw/daemon.c b/ucw/daemon.c
index f74e03728e555fc48e48e015bfc19c3d4074e565..41b548382ba1e360c9dd4b42ca14a27c4bf56211 100644 (file)
--- a/ucw/daemon.c
+++ b/ucw/daemon.c
@@ -85,8 +85,14 @@ daemon_resolve_ugid(struct daemon_params *dp)
 void daemon_switch_ugid(struct daemon_params *dp)
 {
 #ifdef CONFIG_UCW_CAPABILITIES
+  /*
+   * We play with capabilities only if we switch the user.
+   * If we don't switch the user, the chance is we run as normal
+   * user to start with and we could fail setting the capabilities.
+   */
+  bool want_caps = dp->want_setgid || dp->want_setuid;
   // If we want to preserve some caps across UID switch, keep all first, to avoid having to set them twice.
-  if (dp->keep_caps && prctl(PR_SET_KEEPCAPS, 1L) < 0)
+  if (want_caps && dp->keep_caps && prctl(PR_SET_KEEPCAPS, 1L) < 0)
     die("Can not keep caps: %m");
 #endif
   if (dp->want_setgid && setresgid(dp->run_as_gid, dp->run_as_gid, dp->run_as_gid) < 0)
@@ -96,7 +102,7 @@ void daemon_switch_ugid(struct daemon_params *dp)
   if (dp->want_setuid && setresuid(dp->run_as_uid, dp->run_as_uid, dp->run_as_uid) < 0)
     die("Cannot set UID to %d: %m", (int) dp->run_as_uid);
 #ifdef CONFIG_UCW_CAPABILITIES
-  if (dp->keep_caps)
+  if (want_caps && dp->keep_caps)
   {
     cap_t caps = cap_init();
     if (cap_clear(caps) < 0)