Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'

*** 589,606 **** def = priv_allocset(); if (def == NULL) { ret = PAM_SYSTEM_ERR; goto out; } ! priv_basicset(def); errno = 0; if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0)) (void) priv_addset(def, PRIV_FILE_CHOWN_SELF); } /* * Silently limit the privileges to those actually available * in the current zone. */ tset = priv_allocset(); if (tset == NULL) { ret = PAM_SYSTEM_ERR; goto out; --- 589,608 ---- def = priv_allocset(); if (def == NULL) { ret = PAM_SYSTEM_ERR; goto out; } ! priv_defaultset(def); errno = 0; if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0)) (void) priv_addset(def, PRIV_FILE_CHOWN_SELF); } /* * Silently limit the privileges to those actually available * in the current zone. + * + * XXX: i think this applies to non-zone cases too, fix the comment. */ tset = priv_allocset(); if (tset == NULL) { ret = PAM_SYSTEM_ERR; goto out;