1

In a C program, I have to deal with RLIMIT_NPROC and RLIMIT_NOFILE limits and additionally bind to a port less than 1024. I am thinking to run this under an unprivileged user since my program needs only two capabilities.

I saw here that I can set capabilities for the process and then drop root privileges using setuid(). Now, if I fork the process that will keep the set list of capabilities with it, without root privileges, then my program will be kept running with minimal privileges. A very rough overview of my planning:

int main()
{
 int nproc,nfds,port;
         /*
          *  set capabilities to the process
          *  then drop priviales
         */
   setuid(getuid()); //Drop privilages to real user id
   fork() //Now create a child apparantly which will be having parents set capabilties
   /*Now do tasks to which the whole is being played*/
   set_nproclimit(nproc);
   set_nofilelimit(nfds);
   do_bind_to_port(port);
 return 0;
}

Here I am lacking to use any syscall to set capabilities. Any idea of such functions will be great help.

PS: I am able to assign caps through command utility setcap and also using cap_set_file() but i want to do this in other way because I am not every time sure about path of binary.

Some helpful proc commands to check process & sub process's status cat /proc/<PID>/task/<PID>/status, cat /proc/<PID>/limits

tomix86
  • 1,336
  • 2
  • 18
  • 29
Akaks
  • 461
  • 3
  • 21
  • can you be little more specific on what is it that you want, i mean i didn't understand the problem that you are facing – Ankit Kumar Feb 28 '14 at 18:38
  • 1
    You need to look into [libcap](http://man7.org/linux/man-pages/man3/libcap.3.html) – Duck Feb 28 '14 at 23:31
  • @dreamer Yes it sounds confusing . I Just want to assign some capability rather than running my program as root privileges. – Akaks Mar 01 '14 at 01:16

0 Answers0