[PATCH] BSD Secure Levels: allow setuid/setgid on process if root, 2.6.11-rc2-mm1 (5/8)
From: Michael Halcrow
Date: Mon Feb 07 2005 - 14:50:20 EST
This is the fifth in a series of eight patches to the BSD Secure
Levels LSM. It allows setuid and setgid on a process if the user is
already root. This allows non-root users to log in. Thanks to Serge
Hallyn for the suggestion.
Signed off by: Michael Halcrow <mhalcrow@xxxxxxxxxx>
Index: linux-2.6.11-rc2-mm1-modules/security/seclvl.c
===================================================================
--- linux-2.6.11-rc2-mm1-modules.orig/security/seclvl.c 2005-02-03 15:39:35.786556648 -0600
+++ linux-2.6.11-rc2-mm1-modules/security/seclvl.c 2005-02-03 15:41:46.043754544 -0600
@@ -442,12 +442,12 @@
"in secure level [%d] denied\n",
__FUNCTION__, seclvl);
return -EPERM;
- } else if (cap == CAP_SETUID) {
+ } else if (cap == CAP_SETUID && current->uid != 0) {
seclvl_printk(1, KERN_WARNING "%s: Attempt to setuid "
"while in secure level [%d] denied\n",
__FUNCTION__, seclvl);
return -EPERM;
- } else if (cap == CAP_SETGID) {
+ } else if (cap == CAP_SETGID && current->uid != 0) {
seclvl_printk(1, KERN_WARNING "%s: Attempt to setgid "
"while in secure level [%d] denied\n",
__FUNCTION__, seclvl);