Possible mistake in commit 3ca459eaba1b ("tun: fix group permission check")
stsp
stsp2 at yandex.ru
Tue Jan 28 14:45:43 UTC 2025
28.01.2025 17:20, Ondrej Mosnacek пишет:
> That could work, but the semantics become a bit weird, actually: When
> you set both uid and gid, one of them needs to match. If you unset
> uid/gid, you get a stricter condition (gid/uid must match). And if you
> then also unset the other one, you suddenly get a less strict
> condition than the first two - nothing has to match.
Maybe this means that
unsetting with -1 is something
that shouldn't be done and/or
allowed?
In this case you only stricten.
Modulo the inability to set both
user/group at the same time,
so you still get "less strict" when
setting group after user already
set...
More information about the Linux-security-module-archive
mailing list