ninfod: libcap support to drop capabilities.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

4 files changed, 69 insertions, 2 deletions

diff --git a/ninfod/config.h.in b/ninfod/config.h.in
index d89cffe..de22221 100644
--- a/ninfod/config.h.in
+++ b/ninfod/config.h.in
@@ -18,6 +18,9 @@
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
+/* Define to 1 if you have the `cap' library (-lcap). */
+#undef HAVE_LIBCAP
+
 /* Define to 1 if you have the `pthread' library (-lpthread). */
 #undef HAVE_LIBPTHREAD
 
@@ -66,6 +69,9 @@
 /* Define to 1 if you have the <syslog.h> header file. */
 #undef HAVE_SYSLOG_H
 
+/* Define to 1 if you have the <sys/capability.h> header file. */
+#undef HAVE_SYS_CAPABILITY_H
+
 /* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
 
diff --git a/ninfod/configure b/ninfod/configure
index 91a28c9..be6e71a 100755
--- a/ninfod/configure
+++ b/ninfod/configure
@@ -3572,6 +3572,18 @@ fi
 
 done
 
+for ac_header in sys/capability.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default"
+if test "x$ac_cv_header_sys_capability_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYS_CAPABILITY_H 1
+_ACEOF
+
+fi
+
+done
+
 for ac_header in netinet/in.h
 do :
   ac_fn_c_check_header_mongrel "$LINENO" "netinet/in.h" "ac_cv_header_netinet_in_h" "$ac_includes_default"
@@ -4041,6 +4053,51 @@ _ACEOF
 
 fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5
+$as_echo_n "checking for cap_init in -lcap... " >&6; }
+if ${ac_cv_lib_cap_cap_init+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_init ();
+int
+main ()
+{
+return cap_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_cap_cap_init=yes
+else
+  ac_cv_lib_cap_cap_init=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_init" >&5
+$as_echo "$ac_cv_lib_cap_cap_init" >&6; }
+if test "x$ac_cv_lib_cap_cap_init" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBCAP 1
+_ACEOF
+
+  LIBS="-lcap $LIBS"
+
+fi
+
 
 LIBS="-lcrypto $LIBS"
 
diff --git a/ninfod/configure.in b/ninfod/configure.in
index ab49dfe..d543af6 100644
--- a/ninfod/configure.in
+++ b/ninfod/configure.in
@@ -79,6 +79,7 @@ AC_HEADER_TIME
 AC_CHECK_HEADERS(openssl/md5.h)
 AC_CHECK_HEADERS(sys/uio.h)
 AC_CHECK_HEADERS(sys/utsname.h arpa/inet.h netdb.h syslog.h)
+AC_CHECK_HEADERS(sys/capability.h)
 AC_CHECK_HEADERS(netinet/in.h)
 AC_CHECK_HEADERS(netinet/ip6.h netinet/icmp6.h,,,[
 #if HAVE_SYS_TYPES_H
@@ -117,6 +118,7 @@ struct icmp6_nodeinfo nodeinfo;
 dnl Checks for library functions.
 AC_CHECK_FUNCS(nanosleep)
 AC_CHECK_LIB(pthread, pthread_create)
+AC_CHECK_LIB(cap, cap_init)
 
 dnl AC_CHECK_LIB(crypto, MD5_Init,
 dnl	AC_DEFINE(HAVE_MD5_INIT)
diff --git a/ninfod/ninfod.c b/ninfod/ninfod.c
index 27531cc..44ab42e 100644
--- a/ninfod/ninfod.c
+++ b/ninfod/ninfod.c
@@ -468,6 +468,8 @@ int main (int argc, char **argv)
 
 	appname = argv[0];
 
+	limit_capabilities();
+
 	sock = open_sock();
 	if (sock < 0)
 		sock_errno = errno;
@@ -482,14 +484,14 @@ int main (int argc, char **argv)
 	}
 
 	if (sock_errno) {
-		DEBUG(LOG_ERR, "%s\n", strerror(sock_errno));
+		DEBUG(LOG_ERR, "socket: %s\n", strerror(sock_errno));
 		exit(1);
 	}
 
 	if (!opt_d)
 		do_daemonize();
 
-	setuid(getuid());
+	drop_capabilities();
 
 	/* initialize */
 	if (init_sock(sock) < 0)