From 567d83cf011d05b3301ce8e54d08403eeebcd1da Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 21 Oct 2016 14:50:42 +0200
Subject: [PATCH] When doing chroot  * we should not drop any capabilities for
 root  * we should not clear bounding capabilities for other users  * we
 should probably retain the supplement groups

---
 openssh-7.2p2-chroot-capabilities.patch | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/openssh-7.2p2-chroot-capabilities.patch b/openssh-7.2p2-chroot-capabilities.patch
index 69a5342..ea71cb9 100644
--- a/openssh-7.2p2-chroot-capabilities.patch
+++ b/openssh-7.2p2-chroot-capabilities.patch
@@ -63,7 +63,7 @@ index 6cfcba4..80d2806 100644
  
  	platform_setusercontext(pw);
  
-@@ -1619,10 +1624,24 @@ do_setusercontext(struct passwd *pw)
+@@ -1619,10 +1624,25 @@ do_setusercontext(struct passwd *pw)
  			    pw->pw_uid);
  			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
  			    "u", pw->pw_name, (char *)NULL);
@@ -71,7 +71,8 @@ index 6cfcba4..80d2806 100644
 +			/* drop suid soon, retain SYS_CHROOT capability */
 +			capng_clear(CAPNG_SELECT_BOTH);
 +			capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
-+			if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
++			if (pw->pw_uid != 0 &&
++			    (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP)) != 0)
 +				logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
 +#endif
  #ifdef WITH_SELINUX