Or Gerlitz wrote: >> This checks prevents applications from trying to use port numbers below 1024 >> without unless they possess the net bind service capability. A similar check >> could just be: >> >> if (ps == RDMA_PS_IPOIB && !capable(CAP_NET_BIND_SERVICE)) >> return -EACCES; > > OK, lets see i got it: your suggestion is that only if the process has > the net bind service capability it would be able to create RDMA_PS_IPOIB > IDs. How do processes get a possession of this capability(). > > Talking here, I understand that there are issues with Linux > capability()-ies , specifically capabilities are not passed through > execve() see "understanding Linux capabilities brokenness" @ > http://lkml.org/lkml/2005/8/8/248 > > This means capabilities are practically not usable for "non root processes".
I have now got a pointer to this more recent LKML discussion where a patch was suggested to solve the problem "patch to make Linux capabilities into something useful (v 0.3.1)" @ http://lkml.org/lkml/2006/9/5/246 This means that unless someone proves that capabilities are not broken, we will allow (eg under some mod param) non-root apps to create RDMA_PS_IPOIB IDs, OK? Or. _______________________________________________ openib-general mailing list [email protected] http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
