Adam ENDRODI <[EMAIL PROTECTED]> writes:
> -- Problem 3: I'd like to grant or revoke capabilities to/from
> a running process.
>
> This seems to be the easiest, except that the kernel in the
> default configuration doesn't permit this (cap_bound doesn't
> contain CAP_SETPCAP which is requirement of a succesful
> capset() where the target is not the current process.
>
> The simplies workaround would be to set CAP_SETPCAT in
> cap_bound (requires to recompile the kernel, for cap_bset
> cannot be extended by anyone except pid == 1 (init)).
> However, I don't see clearly the implications this
> modification would cause, and I don't really want to risk
> it.
I did this some time ago with a simple wrapper script around init:
---8<--cut here---
#! /bin/sh
if test $$ -eq 1; then
mount /proc
echo -1 >/proc/sys/kernel/cap-bound
fi
exec /sbin/init.bin "$@"
---cut here-->8---
Regards, Olaf.
