Bug 215910 - man page for cap_reset_ambient() incorrectly claims CAP_SETPCAP is needed
Summary: man page for cap_reset_ambient() incorrectly claims CAP_SETPCAP is needed
Status: RESOLVED DOCUMENTED
Alias: None
Product: Tools
Classification: Unclassified
Component: libcap (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Andrew G. Morgan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-28 03:35 UTC by Tinkerer One
Modified: 2022-04-29 04:42 UTC (History)
1 user (show)

See Also:
Kernel Version: all
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description Tinkerer One 2022-04-28 03:35:21 UTC
The man page (cap_get_proc.3) claims:

       cap_reset_ambient() resets all of the ambient capabilities for
       the calling process to their lowered value. To complete
       successfully, the prevailing effective capability set must have a
       raised CAP_SETPCAP.  Note, the ambient set is intended to operate
       in a legacy environment where the application has limited
       awareness of capabilities in general. Executing a file with
       associated filesystem capabilities, the kernel will implicitly
       reset the ambient set of the process. Also, changes to the
       inheritable set by the program code without explicitly fixing up
       the ambient set can also drop ambient bits.

This is not correct. The kernel will let any process drop its ambient set
with this function without CAP_SETPCAP.

Verified as follows:

$ sudo capsh --inh=cap_setuid --user=$(whoami) --addamb=cap_setuid == --print --noamb --print | grep Current
Current: cap_setuid=eip
Current IAB: ^cap_setuid
Current: cap_setuid=eip
Current IAB: cap_setuid
Comment 1 Andrew G. Morgan 2022-04-29 04:42:16 UTC
Thanks for the bug report! Fixed with:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=9a9579181897a62dc107b121f139a319d7e297fa

Note You need to log in before you can comment on or make changes to this bug.