Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
*** 589,606 ****
def = priv_allocset();
if (def == NULL) {
ret = PAM_SYSTEM_ERR;
goto out;
}
! priv_basicset(def);
errno = 0;
if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
(void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
}
/*
* Silently limit the privileges to those actually available
* in the current zone.
*/
tset = priv_allocset();
if (tset == NULL) {
ret = PAM_SYSTEM_ERR;
goto out;
--- 589,608 ----
def = priv_allocset();
if (def == NULL) {
ret = PAM_SYSTEM_ERR;
goto out;
}
! priv_defaultset(def);
errno = 0;
if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
(void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
}
/*
* Silently limit the privileges to those actually available
* in the current zone.
+ *
+ * XXX: i think this applies to non-zone cases too, fix the comment.
*/
tset = priv_allocset();
if (tset == NULL) {
ret = PAM_SYSTEM_ERR;
goto out;