Usually, using cap should be enabled/disabled via autoconf.
On Mon, Apr 11, 2011 at 11:23 PM, crocket <crockabisc...@gmail.com> wrote:
>
> diff -Naur a/init.c b/init.c
> --- a/init.c 2010-11-05 04:29:02.000000000 +0900
> +++ b/init.c 2011-04-12 05:11:43.540370471 +0900
> @@ -41,6 +41,10 @@
>
> #include "occ-inline.h"
>
> +#ifdef TARGET_LINUX
> +#include <sys/prctl.h>
> +#endif
> +
> static struct context *static_context; /* GLOBAL */
>
> /*
> @@ -904,6 +908,10 @@
> if (no_delay)
> {
> set_group (&c0->group_state);
> +#ifdef TARGET_LINUX
> + if(prctl(PR_SET_KEEPCAPS, 1) < 0)
> + msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
> +#endif
> set_user (&c0->user_state);
> c0->uid_gid_set = true;
> }
>
> The patch is above.
> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
> I found out that it was because OpenVPN invoked setuid and setuid
> erased POSIX capabilities.
> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
> invocation.
>
> Thanks in advance for considering this patch.
>
> ------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
