On Tue, Nov 11, 2003 at 07:11:47PM -0700, Hans Fugal wrote: > In order to get realtime capabilities, jackd can be run with a suid > wrapper (jackstart), instead of being run as root, if the following > patch is applied to the kernel: > > --- capability.h.old 2003-11-11 19:57:49.000000000 -0700 > +++ capability.h 2003-11-11 19:56:55.000000000 -0700 > @@ -303,8 +303,8 @@ > > #define CAP_EMPTY_SET to_cap_t(0) > #define CAP_FULL_SET to_cap_t(~0) > -#define CAP_INIT_EFF_SET to_cap_t(~0&~CAP_TO_MASK(CAP_SETPCAP)) > -#define CAP_INIT_INH_SET to_cap_t(0) > +#define CAP_INIT_EFF_SET to_cap_t(~0) > +#define CAP_INIT_INH_SET to_cap_t(~0) > > #define CAP_TO_MASK(x) (1 << (x)) > #define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag)) > > Would it be inappropriate to create a kernel-patch package for this > patch? What should I call it? (I'm thinking kernel-patch-rtcap or > kernel-patch-capability)
I would want considerably more information on the security implications of allowing CAP_SETPCAP than either of those documents provides, if I were you. The POSIX capability code is notoriously subtle and prone to anger. -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer
