From: Michal 'vorner' Vaner <vorner@vorner.cz>
Date: Sun, 6 Jul 2014 09:19:07 +0000 (+0200)
Subject: Don't set capabilities when not switching user
X-Git-Url: http://mj.ucw.cz/gitweb/?a=commitdiff_plain;h=refs%2Fheads%2Fdev-caps;p=libucw.git

Don't set capabilities when not switching user
---

diff --git a/ucw/daemon.c b/ucw/daemon.c
index f74e0372..41b54838 100644
--- a/ucw/daemon.c
+++ b/ucw/daemon.c
@@ -85,8 +85,14 @@ daemon_resolve_ugid(struct daemon_params *dp)
 void daemon_switch_ugid(struct daemon_params *dp)
 {
 #ifdef CONFIG_UCW_CAPABILITIES
+  /*
+   * We play with capabilities only if we switch the user.
+   * If we don't switch the user, the chance is we run as normal
+   * user to start with and we could fail setting the capabilities.
+   */
+  bool want_caps = dp->want_setgid || dp->want_setuid;
   // If we want to preserve some caps across UID switch, keep all first, to avoid having to set them twice.
-  if (dp->keep_caps && prctl(PR_SET_KEEPCAPS, 1L) < 0)
+  if (want_caps && dp->keep_caps && prctl(PR_SET_KEEPCAPS, 1L) < 0)
     die("Can not keep caps: %m");
 #endif
   if (dp->want_setgid && setresgid(dp->run_as_gid, dp->run_as_gid, dp->run_as_gid) < 0)
@@ -96,7 +102,7 @@ void daemon_switch_ugid(struct daemon_params *dp)
   if (dp->want_setuid && setresuid(dp->run_as_uid, dp->run_as_uid, dp->run_as_uid) < 0)
     die("Cannot set UID to %d: %m", (int) dp->run_as_uid);
 #ifdef CONFIG_UCW_CAPABILITIES
-  if (dp->keep_caps)
+  if (want_caps && dp->keep_caps)
   {
     cap_t caps = cap_init();
     if (cap_clear(caps) < 0)