From e8b89a610443f32b901801668cbae634e13f3e68 Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Sun, 15 May 2011 16:29:44 +0200
Subject: Update and document the privilege restriction.

---
 sysdep/linux/syspriv.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'sysdep/linux')

diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h
index bfe19ac..b2cdde8 100644
--- a/sysdep/linux/syspriv.h
+++ b/sysdep/linux/syspriv.h
@@ -48,15 +48,20 @@ drop_uid(uid_t uid)
     CAP_TO_MASK(CAP_NET_ADMIN) |
     CAP_TO_MASK(CAP_NET_RAW);
 
+  /* change effective user ID to be able to switch to that
+     user ID completely after dropping CAP_SETUID */
   if (seteuid(uid) < 0)
     die("seteuid: %m");
 
+  /* restrict the capabilities */
   if (set_capabilities(caps) < 0)
     die("capset: %m");
 
+  /* keep the capabilities after dropping root ID */
   if (prctl(PR_SET_KEEPCAPS, 1) < 0)
     die("prctl: %m");
 
+  /* completely switch to the unprivileged user ID */
   if (setresuid(uid, uid, uid) < 0)
     die("setresuid: %m");
 }
-- 
cgit v1.2.3