Change default for DISABLE_SETUID to false


In 8.9.9 we added the knob DISABLE_SETUID, with a default value of true. This sets the linux no-new-privs flag, which disables programs with the setuid-bit in a binary from changing their uid. It does not impact programs which have real uid 0 switching back and forth.

Unfortunately, this breaks condor_ssh_to_job if selinux is enabled. Until we can resolve this with a selinux policy, we will set the default to "false".


Greg Thain
March 24, 2021, 4:42 PM

Note that was the original

Todd L Miller
March 24, 2021, 4:14 PM

Code Review

Looks good to me.

Time remaining



Greg Thain