Let us return to path_resolution.2...
> Von: Andries Brouwer <Andries.Brouwer@cwi.nl>
> Betreff: Re: ***UNCHECKED*** man-pages-2.11
> Datum: Mon, 24 Oct 2005 20:43:42 +0200
>
> On Mon, Oct 24, 2005 at 05:27:56PM +0200, Michael Kerrisk wrote:
>
> > PS I changed some text in path_rolution.2, where it seems to
> > me that you made an error. But I could be wrong -- you
> > might like to double check it?
>
> Hmm, I think it was precisely correct and no longer is.
>
> I see some change in wording that does not actually change anything,
> and the addition of "as well" that may be incorrect.
Let's begin with a diff:
=====
--- man-pages-2.10/man2/path_resolution.2 2005-07-18 18:17:52.000000000 +0200
+++ man-pages-2.11/man2/path_resolution.2 2005-10-24 13:18:13.000000000 +0200
@@ -185,11 +185,13 @@
Traditional systems do not use capabilities and root (user ID 0) is
all-powerful. Such systems are presently (2.6.7) handled by giving root
-all capabilities except for CAP_SETPCAP. More precisely, at exec time
-a process gets all capabilities except CAP_SETPCAP and the five capabilities
+all capabilities except for CAP_SETPCAP. More precisely,
+a process gets all capabilities except CAP_SETPCAP
+and the five capabilities
CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID,
-in case it has zero effective UID, and it gets these last five capabilities
-in case it has zero fsuid, while all other processes get no capabilities.
+if its effective UID is 0,
+and it gets these last five capabilities if its fsuid is 0 as well,
+while all other processes get no capabilities.
The CAP_DAC_OVERRIDE capability overrides all permission checking,
but will only grant execute permission when at least one
====
The main points of change are the following:
1. Removal of discussion of "exec time".
2. Addition of "as well".
I'll start with point 2. I'm wrong. I had it in my mind that
fsuid could only be made 0 if euid was already 0. But that isn't
true; setfsuid(x) allows us to turn this (somewhat unusual, but
theoretically possible scenario):
Real Eff Saved FS
0 y y y
into this (setfsuid() allows us to set the fsuid to any of the R/E/S
UID values):
Real Eff Saved FS
0 y y 0
And indeed the process then has the 5 CAP_FS_MASK capabilities,
in its effective set, but none of the others.
I've removed the words "as well".
On to point 1.
I removed "exec time" because it seems misleading. As far as I can
tell, exec is not directly relevant, except in as much as we exec
a set-user-ID-root program. The real point is that effective
capabilities are dropped as a result of changes to the euid and
fsuid. Those can happen because we exec a set-user-ID-root program,
or via manipulations via seteuid(), setfsuid(), and friends.
As such, that change still seems to me to be correct. But
perhaps I have still missed something that you were trying to
say. If so, let me know.
Cheers,
Michael
Michael Kerrisk