Re: [libvirt] [PATCH 2/5] util: allow using virCommandAllowCap with setuid helpers

On 03/25/2013 08:25 AM, Paolo Bonzini wrote: > When running unprivileged, virSetUIDGIDWithCaps will fail because it > tries to add the requested capabilities to the permitted and effective > sets. > > Detect this case, and invoke the child with cleared permitted and > effective sets. If it is a setuid program, it will get them. > > Some care is needed also because you cannot drop capabilities from the > bounding set without CAP_SETPCAP. Because of that, ignore errors from > setting the bounding set.

As written, the patch makes sense.