diff options
author | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2012-12-21 05:06:42 +0900 |
---|---|---|
committer | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2012-12-21 05:06:42 +0900 |
commit | bd9d5cf6979b86da501024cdd5acb183c894e922 (patch) | |
tree | b2c5e53e55fd465a734448bf0db1df1198b33ddb /ninfod | |
parent | 0de89dd843216bb44d012781f65769a4113d57a3 (diff) | |
download | iputils-bd9d5cf6979b86da501024cdd5acb183c894e922.tar.gz |
ninfod: Allow printing usage without permission errors.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Diffstat (limited to 'ninfod')
-rw-r--r-- | ninfod/ninfod.c | 57 |
1 files changed, 29 insertions, 28 deletions
diff --git a/ninfod/ninfod.c b/ninfod/ninfod.c index 802d5ed..d1b99d9 100644 --- a/ninfod/ninfod.c +++ b/ninfod/ninfod.c @@ -468,7 +468,9 @@ static void do_daemonize(void) /* --------- */ #ifdef HAVE_LIBCAP -static const cap_value_t caps[] = { CAP_NET_RAW, CAP_SETUID }; +static const cap_value_t cap_net_raw = CAP_NET_RAW; +static const cap_value_t cap_setuid = CAP_SETUID; +static cap_flag_value_t cap_ok; #else static uid_t euid; #endif @@ -476,21 +478,31 @@ static uid_t euid; static void limit_capabilities(void) { #ifdef HAVE_LIBCAP - cap_t cap_p; + cap_t cap_p, cap_cur_p; cap_p = cap_init(); if (!cap_p) { DEBUG(LOG_ERR, "cap_init: %s\n", strerror(errno)); exit(-1); + } + + cap_cur_p = cap_get_proc(); + if (!cap_cur_p) { + DEBUG(LOG_ERR, "cap_get_proc: %s\n", strerror(errno)); + exit(-1); } /* net_raw + setuid / net_raw */ - if (cap_set_flag(cap_p, CAP_PERMITTED, 2, caps, CAP_SET) < 0 || - cap_set_flag(cap_p, CAP_EFFECTIVE, 1, caps, CAP_SET) < 0) { - DEBUG(LOG_ERR, "cap_set_flag: %s\n", strerror(errno)); - exit(-1); + cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok); + if (cap_ok != CAP_CLEAR) { + cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_net_raw, CAP_SET); + cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap_net_raw, CAP_SET); } + cap_get_flag(cap_cur_p, CAP_SETUID, CAP_PERMITTED, &cap_ok); + if (cap_ok != CAP_CLEAR) + cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_setuid, CAP_SET); + if (cap_set_proc(cap_p) < 0) { DEBUG(LOG_ERR, "cap_set_proc: %s\n", strerror(errno)); if (errno != EPERM) @@ -502,10 +514,8 @@ static void limit_capabilities(void) exit(-1); } - if (cap_free(cap_p) < 0) { - DEBUG(LOG_ERR, "cap_free: %s\n", strerror(errno)); - exit(-1); - } + cap_free(cap_cur_p); + cap_free(cap_p); #else euid = geteuid(); #endif @@ -523,15 +533,14 @@ static void drop_capabilities(void) } /* setuid / setuid */ - if (cap_set_flag(cap_p, CAP_PERMITTED, 1, caps + 1, CAP_SET) < 0 || - cap_set_flag(cap_p, CAP_EFFECTIVE, 1, caps + 1, CAP_SET) < 0) { - DEBUG(LOG_ERR, "cap_set_flag: %s\n", strerror(errno)); - exit(-1); - } + if (cap_ok != CAP_CLEAR) { + cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_setuid, CAP_SET); + cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap_setuid, CAP_SET); - if (cap_set_proc(cap_p) < 0) { - DEBUG(LOG_ERR, "cap_set_proc: %s\n", strerror(errno)); - exit(-1); + if (cap_set_proc(cap_p) < 0) { + DEBUG(LOG_ERR, "cap_set_proc: %s\n", strerror(errno)); + exit(-1); + } } if (seteuid(opt_u ? opt_u : getuid()) < 0) { @@ -544,21 +553,13 @@ static void drop_capabilities(void) exit(-1); } - if (cap_clear(cap_p) < 0) { - DEBUG(LOG_ERR, "cap_clear: %s\n", strerror(errno)); - exit(-1); - } - + cap_clear(cap_p); if (cap_set_proc(cap_p) < 0) { DEBUG(LOG_ERR, "cap_set_proc: %s\n", strerror(errno)); exit(-1); } - if (cap_free(cap_p) < 0) { - DEBUG(LOG_ERR, "cap_free: %s\n", strerror(errno)); - exit(-1); - } - + cap_free(cap_p); #else if (setuid(getuid()) < 0) { DEBUG(LOG_ERR, "setuid: %s\n", strerror(errno)); |