Nothing is running with root privileges (unless root is executing it).
The SUID bit on the wrapper is just a marker and does not change the
effective uid of the process. Also, AFAIK, you can't pass capabilities
from one program to another using exec(). I don't completely
understand this stuff yet but fs/exec.c has these lines in the
prepare_binprm() function:
cap_clear(bprm->cap_inheritable);
cap_clear(bprm->cap_permitted);
cap_clear(bprm->cap_effective);
Capabilities are only raised if bprm->e_uid == 0. So, unless I'm
misunderstand the code, you can't do the same thing with a SUID wrapper.
Thanks for you're comments.
Neil
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/