bryancall opened a new pull request, #12908: URL: https://github.com/apache/trafficserver/pull/12908
## Summary Add `CAP_CHOWN` to the permitted capability set retained by `RestrictCapabilities()` after the privilege drop from root to the unprivileged user. This enables plugins that manage TLS certificate files to set `root:root` ownership on backup copies they write to disk, supporting deployments where cert files are restricted to `root:root 600` inside `root:root 700` directories. ## Changes * **`src/tscore/ink_cap.cc`** -- Added `CAP_CHOWN` to `perm_list` in `RestrictCapabilities()`. Like `CAP_DAC_OVERRIDE` and `CAP_FOWNER`, it is retained in the permitted set only (not effective). A plugin must explicitly promote it to the effective set before use. ## Security Considerations `CAP_CHOWN` allows changing file ownership. It follows the same security model as `CAP_DAC_OVERRIDE` (already retained): held in the permitted set but **not** in the effective set during normal operation. A plugin must use RAII-style elevation to briefly promote it, then drop it immediately after the `fchown()` call. ## Testing Verified on Fedora 43 with libcap 2.76: - `CAP_CHOWN` appears in `CapPrm` but not `CapEff` after startup - `fchown()` succeeds when the capability is elevated - No change to steady-state behavior -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
