On 06/04/2022 14:44, Timo Rothenpieler wrote:
'man cap_change_id' does not mention setting errno at all.
What do we expect to see with M_ERRNO?
Every function it internally calls sets errno, so in case of failure
errno will reflect what went wrong. Like, for example EPERM will be the
most common cause of failure.
capng_change_id() does several other lower level calls, like prctl(),
setgroups(), setresgid() and setresuid(). They all set errno if an
error occurs. The return code of capng_change_id() just reflects in
which phase of dropping privileges/uid/gid it failed.
For more details of the capng_change_id(), the implementation itself
isn't that hard to read (but it does a several steps to harden the
privilege drop):
<https://github.com/stevegrubb/libcap-ng/blob/03b8572843b36bf071776a311c61f8d1dcfc4d53/src/cap-ng.c#L960>
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
