From 2051bdd5e4c15b29833502f08589d43ea457f03b Mon Sep 17 00:00:00 2001 From: Sangyoon Jang Date: Wed, 8 Feb 2017 21:34:32 +0900 Subject: [PATCH] Make CAP_DAC_OVERRIDE inheritable for using xdelta3 Currently, xdelta3 has CAP_DAC_OVERRIDE itself by file capability. This is security hole, because attacker can modify any files using xdelta3. To prevent this problem, make xdelta3 have CAP_DAC_OVERRIDE only by inheriting from server. Change-Id: I76f9416cff0c8b2e54c18093c162f6044c399245 Signed-off-by: Sangyoon Jang --- package-manager.service.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package-manager.service.in b/package-manager.service.in index c3aa925..0bfb548 100644 --- a/package-manager.service.in +++ b/package-manager.service.in @@ -5,4 +5,7 @@ Description=Tizen Package Manager User=app_fw Group=app_fw SmackProcessLabel=System +# CAP_DAC_OVERRIDE should be inheritable for using xdelta3 +Capabilities=cap_dac_override=i +SecureBits=keep-caps ExecStart=@PREFIX@/bin/pkgmgr-server -- 2.7.4