How do I enable it via autoconf?
On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
> Usually, using cap should be enabled/disabled via autoconf.
>
> On Mon, Apr 11, 2011 at 11:23 PM, crocket <crockabisc...@gmail.com> wrote:
>>
>> diff -Naur a/init.c b/init.c
>> --- a/init.c 2010-11-05 04:29:02.000000000 +0900
>> +++ b/init.c 2011-04-12 05:11:43.540370471 +0900
>> @@ -41,6 +41,10 @@
>>
>> #include "occ-inline.h"
>>
>> +#ifdef TARGET_LINUX
>> +#include <sys/prctl.h>
>> +#endif
>> +
>> static struct context *static_context; /* GLOBAL */
>>
>> /*
>> @@ -904,6 +908,10 @@
>> if (no_delay)
>> {
>> set_group (&c0->group_state);
>> +#ifdef TARGET_LINUX
>> + if(prctl(PR_SET_KEEPCAPS, 1) < 0)
>> + msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
>> +#endif
>> set_user (&c0->user_state);
>> c0->uid_gid_set = true;
>> }
>>
>> The patch is above.
>> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
>> I found out that it was because OpenVPN invoked setuid and setuid
>> erased POSIX capabilities.
>> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
>> invocation.
>>
>> Thanks in advance for considering this patch.
>>
>> ------------------------------------------------------------------------------
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>> _______________________________________________
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
