On Fri, 11 Jan 2002, Alan Cox wrote: > Think so - thats what suser() itself did so it cant be worse 8) Maybe we need more capabilities for finer grained privileges... CAP_SYS_ADMIN is too powerful :) So, again, the patch. Patch is made against 2.4.16. diff -urN linux-2.4.16-vanilla/drivers/char/tty_io.c linux-2.4.16/drivers/char/tty_io.c --- linux-2.4.16-vanilla/drivers/char/tty_io.c Sat Nov 3 02:26:17 2001 +++ linux-2.4.16/drivers/char/tty_io.c Fri Jan 11 06:24:16 2002 @@ -1377,7 +1377,7 @@ retval = -ENODEV; filp->f_flags = saved_flags; - if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !suser()) + if (!retval && test_bit(TTY_EXCLUSIVE, &tty->flags) && !capable(CAP_SYS_TTY_CONFIG)) retval = -EBUSY; if (retval) { @@ -1479,7 +1479,7 @@ { char ch, mbz = 0; - if ((current->tty != tty) && !suser()) + if ((current->tty != tty) && !capable(CAP_SYS_TTY_CONFIG)) return -EPERM; if (get_user(ch, arg)) return -EFAULT; @@ -1517,7 +1517,7 @@ { if (inode->i_rdev == SYSCONS_DEV || inode->i_rdev == CONSOLE_DEV) { - if (!suser()) + if (!capable(CAP_SYS_TTY_CONFIG)) return -EPERM; redirect = NULL; return 0; @@ -1559,7 +1559,7 @@ * This tty is already the controlling * tty for another session group! */ - if ((arg == 1) && suser()) { + if ((arg == 1) && capable(CAP_SYS_ADMIN)) { /* * Steal it away */ diff -urN linux-2.4.16-vanilla/drivers/char/vt.c linux-2.4.16/drivers/char/vt.c --- linux-2.4.16-vanilla/drivers/char/vt.c Fri Nov 16 19:08:28 2001 +++ linux-2.4.16/drivers/char/vt.c Fri Jan 11 06:25:36 2002 @@ -440,10 +440,11 @@ /* * To have permissions to do most of the vt ioctls, we either have - * to be the owner of the tty, or super-user. + * to be the owner of the tty, or to have CAP_SYS_TTY_CONFIG + * capability. */ perm = 0; - if (current->tty == tty || suser()) + if (current->tty == tty || capable(CAP_SYS_TTY_CONFIG)) perm = 1; kbd = kbd_table + console; @@ -1038,12 +1039,12 @@ return do_unimap_ioctl(cmd, (struct unimapdesc *)arg, perm); case VT_LOCKSWITCH: - if (!suser()) + if (!capable(CAP_SYS_TTY_CONFIG)) return -EPERM; vt_dont_switch = 1; return 0; case VT_UNLOCKSWITCH: - if (!suser()) + if (!capable(CAP_SYS_TTY_CONFIG)) return -EPERM; vt_dont_switch = 0; return 0; To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/