Bug 68434

Summary:	CAP_SYS_MODULE cannot be dropped at boot
Product:	systemd	Reporter:	Matteo Sasso <matteo.sasso>
Component:	general	Assignee:	systemd-bugs
Status:	RESOLVED FIXED	QA Contact:	systemd-bugs
Severity:	normal
Priority:	medium
Version:	unspecified
Hardware:	All
OS:	Linux (All)
Whiteboard:
i915 platform:		i915 features:

Description Matteo Sasso 2013-08-22 13:20:37 UTC

At boot, init drops its own capabilities and usermode helpers' according to the CapabilityBoundingSet option in systemd/system.conf. Unfortunately, to modify files in /proc/sys/kernel/usermodehelper you need CAP_SYS_MODULE: if you don't include CAP_SYS_MODULE in the bounding set, boot fails with "Failed to drop capability bounding set of usermode helpers".

I think being able to drop CAP_SYS_MODULE is one of the most useful uses of that option. To fix this, capabilities should be dropped in reverse order: first those of usermodehelper, then those of systemd's init.

It should be a trivial change to main.c (just search for the error message and you'll see what I mean).

Comment 1 Harald Hoyer 2013-08-30 08:27:30 UTC

Good catch!

http://cgit.freedesktop.org/systemd/systemd/commit/?id=31c885e9ae53f4b88a36452c4ca10643fdd0fd06

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.