validity test in cap_set_proc(), POSIX.1e 25.4.15.2

[Andrew Morgan]

Casey Schaufler wrote:
> You may wish to have a case where you need an effective capability
> to do an exec(), perhaps CAP_DAC_OVERRIDE, but explicitly don't
> want it in the permitted set of the resulting program. In this
> case you would raise CAP_DAC_OVERRIDE to effective, and clear it
> from permitted. You can't clear the permitted set while leaving
> any effective in your scheme.

I guess I'm a little confused by this comment.

The rules explicitly don't inherit the pP or pE sets through an exec.
(Its only pI,fP,fI that are used in determining the capabilities of the
exec'd process). Perhaps you are indicating that pI might get a bit
raised simultaneously with it being lowered in pP?

Cheers

Andrew

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message