Artem Kachitchkine wrote: > >> Hmm, on second look, it doesn't look like this code does anything. > > Run ppriv `pgrep dlmgmtd`. With the current code you should see E = P = > basic. With altered code, it should be basic,sys_net_config. > > We can fine tune it even further by removing those privileges that > belong to the basic set, but we don't use, like file_link_any or proc_info: > > priv_set(PRIV_OFF, PRIV_PERMITTED, PRIV_FILE_LINK_ANY, ... > > E.g. see ppriv `pgrep nfsd`.
Well gag me with a chainsaw, you're right. I've been staring at __init_daemon_priv() for a long time, and I don't see how it alters the effective set. I'm stumped. Anyway, your change indeed has the desired effect, forget I brought it up. :-) -Seb
