File protection mystery

Hal Murray hmurray at
Wed Jan 3 05:26:40 UTC 2018

>> Anybody understand setcap?
> Alas, I've never used it.  

I think I've figured out what is going on.

The capabilities on a file are OR-ed in to what you start with.  Thus if you 
run it as non-root, you get the specified capabilities.  If you run it as 
root, you start with root's capabilities.

I'm currently experimenting with starting it via runuser.  It's working well 
enough to find a few more capabilities that are needed.

To clean things up, the droproot area needs some work.  The current setup 
needs -u ntp:ntp to drop the privileges only needed during initialization, 
and the setuid/setgid needs more priveleges.  I think we can hack it to skip 
the setuid/setgid part if it is already running as ntp:ntp.  Better would be 
to drop privs if it was started as ntp:ntp without requiring -u ntp:ntp on 
the command line.

These are my opinions.  I hate spam.

More information about the devel mailing list