Switches UID to a new user, and preserving CAP_NET_ADMIN capabilities

在linux中每个进程有三个[实际上有第4个]用户标识符.
real uid : 真实用户ID.
saved uid : 已保存用户ID
effective uid : 有效用户ID
真实用户ID(real uid)是login时的用户.而在运行过程中,
用于所有的安全检查的是有效用户ID(effective uid).
一般情况下:
real uid = saved uid = effective uid

在某些场合下,使用用setuid,setruid函数可以改变effective uid,从而
使得程序运行时具有特殊的权限. 

假如又想保留原来的一些资源权限，可以这么做

//保留原先的capabilities

prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
setuid(NEW_UID);

//增加新的capatilities

capset(&header, &cap);

其中NEW_UID是新UID，关于prctl,

prctl - operations on a process

       prctl() is called with a first argument describing what to do (with values
       defined in <linux/prctl.h>), and further arguments with a significance
       depending on the first one.  
来看看这个参数 PR_SET_KEEPCAPS  

       PR_SET_KEEPCAPS (since Linux 2.2.18)
              Set the state of the thread's "keep capabilities" flag, which
              determines whether the threads's permitted capability set is cleared
              when a change is made to the threads's user IDs such that the threads's
              real UID, effective UID, and saved set-user-ID all become nonzero when
              at least one of them previously had the value 0.  By default, the
              permitted capability set is cleared when such a change is made; setting
              the "keep capabilities" flag prevents it from being cleared.  arg2 must
              be either 0 (permitted capabilities are cleared) or 1 (permitted
              capabilities are kept).  (A thread's effective capability set is always
              cleared when such a credential change is made, regardless of the
              setting of the "keep capabilities" flag.)  The "keep capabilities"
              value will be reset to 0 on subsequent calls to execve(2).