diff options
author | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2012-11-14 20:15:07 +0900 |
---|---|---|
committer | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2012-11-14 20:15:07 +0900 |
commit | 65e6faf32c43d082a12242417101b98f0e1e81c0 (patch) | |
tree | dfbd4583f87dceba311856c53a15492a43a56cd5 /ninfod | |
parent | 2aeb59ed932f7f2edf5b41a1e6c85f609f40b166 (diff) | |
download | iputils-65e6faf32c43d082a12242417101b98f0e1e81c0.tar.gz |
ninfod: libcap support to drop capabilities.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Diffstat (limited to 'ninfod')
-rw-r--r-- | ninfod/config.h.in | 6 | ||||
-rwxr-xr-x | ninfod/configure | 57 | ||||
-rw-r--r-- | ninfod/configure.in | 2 | ||||
-rw-r--r-- | ninfod/ninfod.c | 6 |
4 files changed, 69 insertions, 2 deletions
diff --git a/ninfod/config.h.in b/ninfod/config.h.in index d89cffe..de22221 100644 --- a/ninfod/config.h.in +++ b/ninfod/config.h.in @@ -18,6 +18,9 @@ /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H +/* Define to 1 if you have the `cap' library (-lcap). */ +#undef HAVE_LIBCAP + /* Define to 1 if you have the `pthread' library (-lpthread). */ #undef HAVE_LIBPTHREAD @@ -66,6 +69,9 @@ /* Define to 1 if you have the <syslog.h> header file. */ #undef HAVE_SYSLOG_H +/* Define to 1 if you have the <sys/capability.h> header file. */ +#undef HAVE_SYS_CAPABILITY_H + /* Define to 1 if you have the <sys/stat.h> header file. */ #undef HAVE_SYS_STAT_H diff --git a/ninfod/configure b/ninfod/configure index 91a28c9..be6e71a 100755 --- a/ninfod/configure +++ b/ninfod/configure @@ -3572,6 +3572,18 @@ fi done +for ac_header in sys/capability.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_capability_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_CAPABILITY_H 1 +_ACEOF + +fi + +done + for ac_header in netinet/in.h do : ac_fn_c_check_header_mongrel "$LINENO" "netinet/in.h" "ac_cv_header_netinet_in_h" "$ac_includes_default" @@ -4041,6 +4053,51 @@ _ACEOF fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5 +$as_echo_n "checking for cap_init in -lcap... " >&6; } +if ${ac_cv_lib_cap_cap_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcap $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char cap_init (); +int +main () +{ +return cap_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_cap_cap_init=yes +else + ac_cv_lib_cap_cap_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_init" >&5 +$as_echo "$ac_cv_lib_cap_cap_init" >&6; } +if test "x$ac_cv_lib_cap_cap_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBCAP 1 +_ACEOF + + LIBS="-lcap $LIBS" + +fi + LIBS="-lcrypto $LIBS" diff --git a/ninfod/configure.in b/ninfod/configure.in index ab49dfe..d543af6 100644 --- a/ninfod/configure.in +++ b/ninfod/configure.in @@ -79,6 +79,7 @@ AC_HEADER_TIME AC_CHECK_HEADERS(openssl/md5.h) AC_CHECK_HEADERS(sys/uio.h) AC_CHECK_HEADERS(sys/utsname.h arpa/inet.h netdb.h syslog.h) +AC_CHECK_HEADERS(sys/capability.h) AC_CHECK_HEADERS(netinet/in.h) AC_CHECK_HEADERS(netinet/ip6.h netinet/icmp6.h,,,[ #if HAVE_SYS_TYPES_H @@ -117,6 +118,7 @@ struct icmp6_nodeinfo nodeinfo; dnl Checks for library functions. AC_CHECK_FUNCS(nanosleep) AC_CHECK_LIB(pthread, pthread_create) +AC_CHECK_LIB(cap, cap_init) dnl AC_CHECK_LIB(crypto, MD5_Init, dnl AC_DEFINE(HAVE_MD5_INIT) diff --git a/ninfod/ninfod.c b/ninfod/ninfod.c index 27531cc..44ab42e 100644 --- a/ninfod/ninfod.c +++ b/ninfod/ninfod.c @@ -468,6 +468,8 @@ int main (int argc, char **argv) appname = argv[0]; + limit_capabilities(); + sock = open_sock(); if (sock < 0) sock_errno = errno; @@ -482,14 +484,14 @@ int main (int argc, char **argv) } if (sock_errno) { - DEBUG(LOG_ERR, "%s\n", strerror(sock_errno)); + DEBUG(LOG_ERR, "socket: %s\n", strerror(sock_errno)); exit(1); } if (!opt_d) do_daemonize(); - setuid(getuid()); + drop_capabilities(); /* initialize */ if (init_sock(sock) < 0) |