diff --git a/include/tscore/ink_cap.h b/include/tscore/ink_cap.h index 86a8f31f4d5..f1e50b9f749 100644 --- a/include/tscore/ink_cap.h +++ b/include/tscore/ink_cap.h @@ -81,8 +81,9 @@ class ElevateAccess FILE_PRIVILEGE = 0x1u, ///< Access filesystem objects with privilege TRACE_PRIVILEGE = 0x2u, ///< Trace other processes with privilege LOW_PORT_PRIVILEGE = 0x4u, ///< Bind to privilege ports. - OWNER_PRIVILEGE = 0x8u ///< Bypass permission checks on operations that normally require + OWNER_PRIVILEGE = 0x8u, ///< Bypass permission checks on operations that normally require /// filesystem UID & process UID to match + CHOWN_PRIVILEGE = 0x10u ///< Change file ownership }; ElevateAccess(unsigned level = FILE_PRIVILEGE); diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc index f464daad3b1..6841c462b02 100644 --- a/src/tscore/ink_cap.cc +++ b/src/tscore/ink_cap.cc @@ -273,7 +273,7 @@ RestrictCapabilities() cap_t caps_orig = cap_get_proc(); // Capabilities we need. - cap_value_t perm_list[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK, CAP_DAC_OVERRIDE, CAP_FOWNER}; + cap_value_t perm_list[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_CHOWN}; static int const PERM_CAP_COUNT = sizeof(perm_list) / sizeof(*perm_list); cap_value_t eff_list[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK}; static int const EFF_CAP_COUNT = sizeof(eff_list) / sizeof(*eff_list); @@ -436,7 +436,7 @@ void ElevateAccess::acquirePrivilege(unsigned priv_mask) { unsigned cap_count = 0; - cap_value_t cap_list[3]; + cap_value_t cap_list[4]; cap_t new_cap_state; Dbg(dbg_ctl_privileges, "[acquirePrivilege] level= %x", level); @@ -463,6 +463,11 @@ ElevateAccess::acquirePrivilege(unsigned priv_mask) ++cap_count; } + if (priv_mask & ElevateAccess::CHOWN_PRIVILEGE) { + cap_list[cap_count] = CAP_CHOWN; + ++cap_count; + } + ink_release_assert(cap_count <= sizeof(cap_list)); if (cap_count > 0) {