diff options
| author | Tavian Barnes <tavianator@tavianator.com> | 2021-03-23 11:46:26 -0400 |
|---|---|---|
| committer | Tavian Barnes <tavianator@tavianator.com> | 2021-03-23 11:46:26 -0400 |
| commit | d36ece2ca7498b7ba5485d5010439b57f006c9c8 (patch) | |
| tree | d3a9070b46d29b680ff9d691c6abff3ac55dcd11 /tests.sh | |
| parent | dbc77fd3b6e48a17eb79f9ff3a5f810b7554bf6f (diff) | |
| download | bfs-d36ece2ca7498b7ba5485d5010439b57f006c9c8.tar.xz | |
tests: Actually remove capabilities after dropping them
Diffstat (limited to 'tests.sh')
| -rwxr-xr-x | tests.sh | 13 |
1 files changed, 8 insertions, 5 deletions
@@ -35,22 +35,25 @@ if [ -t 1 ]; then fi if command -v capsh &>/dev/null; then - if capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null || capsh --has-p=CAP_DAC_READ_SEARCH &>/dev/null; then + if capsh --has-p=cap_dac_override &>/dev/null || capsh --has-p=cap_dac_read_search &>/dev/null; then if [ -n "$BFS_TRIED_DROP" ]; then cat >&2 <<EOF -${RED}error: ${RST} Failed to drop capabilities. +${RED}error:${RST} Failed to drop capabilities. EOF exit 1 fi cat >&2 <<EOF -${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}CAP_DAC_OVERRIDE${RST} and -${BLD}CAP_DAC_READ_SEARCH${RST}. +${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}cap_dac_override${RST} and +${BLD}cap_dac_read_search${RST}. EOF - BFS_TRIED_DROP=y exec capsh --drop=CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH -- "$0" "$@" + BFS_TRIED_DROP=y exec capsh \ + --drop=cap_dac_override,cap_dac_read_search \ + --caps=cap_dac_override,cap_dac_read_search-eip \ + -- "$0" "$@" fi elif [ "$EUID" -eq 0 ]; then UNLESS= |