Forget about this patch.
The bug section in "man mlock" tells me that it's a kernel bug.
It seems prctl can't remove the bug.
On Tue, Apr 12, 2011 at 5:23 AM, crocket <crockabisc...@gmail.com> wrote:
> diff -Naur a/init.c b/init.c
> --- a/init.c 2010-11-05 04:29:02.000000000 +0900
> +++ b/init.c 2011-04-12 05:11:43.540370471 +0900
> @@ -41,6 +41,10 @@
>
> #include "occ-inline.h"
>
> +#ifdef TARGET_LINUX
> +#include <sys/prctl.h>
> +#endif
> +
> static struct context *static_context; /* GLOBAL */
>
> /*
> @@ -904,6 +908,10 @@
> if (no_delay)
> {
> set_group (&c0->group_state);
> +#ifdef TARGET_LINUX
> + if(prctl(PR_SET_KEEPCAPS, 1) < 0)
> + msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
> +#endif
> set_user (&c0->user_state);
> c0->uid_gid_set = true;
> }
>
> The patch is above.
> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
> I found out that it was because OpenVPN invoked setuid and setuid
> erased POSIX capabilities.
> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
> invocation.
>
> Thanks in advance for considering this patch.
>
