Re: [Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

Mon, 11 Apr 2011 21:28:45 +0000 

Into configure.ac you add something like:
---
AC_ARG_ENABLE(
        [capabilities],
        [AS_HELP_STRING([--enable-capabilities],[enable Linux
capabilities @<:@disabled@:>@])],
        ,
        [enable_capabilities="no"]
)
test "${enable_capabilities}" = "yes" &&
AC_DEFINE([ENABLE_CAPABILITIES], [1], [enable Linux capabilities])
---

Then in source you test for:
#ifdef ENABLE_CAPABILITIES

Alon.


On Tue, Apr 12, 2011 at 12:03 AM, crocket <crockabisc...@gmail.com> wrote:
> How do I enable it via autoconf?
>
> On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
>> Usually, using cap should be enabled/disabled via autoconf.
>>
>> On Mon, Apr 11, 2011 at 11:23 PM, crocket <crockabisc...@gmail.com> wrote:
>>>
>>> diff -Naur a/init.c b/init.c
>>> --- a/init.c    2010-11-05 04:29:02.000000000 +0900
>>> +++ b/init.c    2011-04-12 05:11:43.540370471 +0900
>>> @@ -41,6 +41,10 @@
>>>
>>>  #include "occ-inline.h"
>>>
>>> +#ifdef TARGET_LINUX
>>> +#include <sys/prctl.h>
>>> +#endif
>>> +
>>>  static struct context *static_context; /* GLOBAL */
>>>
>>>  /*
>>> @@ -904,6 +908,10 @@
>>>       if (no_delay)
>>>        {
>>>          set_group (&c0->group_state);
>>> +#ifdef TARGET_LINUX
>>> +         if(prctl(PR_SET_KEEPCAPS, 1) < 0)
>>> +           msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
>>> +#endif
>>>          set_user (&c0->user_state);
>>>          c0->uid_gid_set = true;
>>>        }
>>>
>>> The patch is above.
>>> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
>>> I found out that it was because OpenVPN invoked setuid and setuid
>>> erased POSIX capabilities.
>>> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
>>> invocation.
>>>
>>> Thanks in advance for considering this patch.
>>>
>>> ------------------------------------------------------------------------------
>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>> part of an in-depth evaluation of disaster recovery service providers.
>>> Forrester found the best-in-class provider in terms of services and vision.
>>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>>> _______________________________________________
>>> Openvpn-devel mailing list
>>> Openvpn-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>

Reply via email to