On Tue, Nov 28, 2006, Nadav Har'El wrote about "Re: How to bind privileged ports in a non-root process?": > > 1. Starting as a root process. > > 2. Eliminating all but the needed capabilities with capset(2) (or > > whatever higher-level function there is -- they're undocumented on my > > system) > > 3. Making the system keep capabilities upon seteuid by calling > > prctl(2) with PR_SET_KEEPCAPS. > > 4. seteuid(2) and exec(3) your Java thing. > > This is what I wanted to do, but from some online documentation I got the > feeling that while this was *supposed* to work, it doesn't actually work on > modern kernels because capabilities were never actually implemented or exec() > resets them, or god knows what. Does anyone have any experience with this?
According to http://www.madore.org/~david/linux/newcaps/#crippled unfortunately I was remembered correctly: exec() causes all capabilities to be dropped (when non-root), which makes them absolutely worthless for most situations (including mine). Too bad... -- Nadav Har'El | Tuesday, Nov 28 2006, 7 Kislev 5767 [EMAIL PROTECTED] |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |Why aren't fishmongers generous? Their http://nadav.harel.org.il |business makes them selfish. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
