Re: POSIX capabilities patch
On Tue, Nov 11, 2003 at 07:11:47PM -0700, Hans Fugal wrote:
> In order to get realtime capabilities, jackd can be run with a suid
> wrapper (jackstart), instead of being run as root, if the following
> patch is applied to the kernel:
>
> --- capability.h.old 2003-11-11 19:57:49.000000000 -0700
> +++ capability.h 2003-11-11 19:56:55.000000000 -0700
> @@ -303,8 +303,8 @@
>
> #define CAP_EMPTY_SET to_cap_t(0)
> #define CAP_FULL_SET to_cap_t(~0)
> -#define CAP_INIT_EFF_SET to_cap_t(~0&~CAP_TO_MASK(CAP_SETPCAP))
> -#define CAP_INIT_INH_SET to_cap_t(0)
> +#define CAP_INIT_EFF_SET to_cap_t(~0)
> +#define CAP_INIT_INH_SET to_cap_t(~0)
>
> #define CAP_TO_MASK(x) (1 << (x))
> #define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
>
> Would it be inappropriate to create a kernel-patch package for this
> patch? What should I call it? (I'm thinking kernel-patch-rtcap or
> kernel-patch-capability)
I would want considerably more information on the security implications
of allowing CAP_SETPCAP than either of those documents provides, if I
were you.
The POSIX capability code is notoriously subtle and prone to anger.
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
Reply to: