Why don't you submit a patch for this?
Although my patch doesn't seem to make OpenVPN retain linux
capabilities during UID downgrade, if you made a patch that includes
my patch, linux people would appreciate it.
On Tue, Apr 12, 2011 at 6:28 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
> Into configure.ac you add something like:
> ---
> AC_ARG_ENABLE(
> [capabilities],
> [AS_HELP_STRING([--enable-capabilities],[enable Linux
> capabilities @<:@disabled@:>@])],
> ,
> [enable_capabilities="no"]
> )
> test "${enable_capabilities}" = "yes" &&
> AC_DEFINE([ENABLE_CAPABILITIES], [1], [enable Linux capabilities])
> ---
>
> Then in source you test for:
> #ifdef ENABLE_CAPABILITIES
>
> Alon.
>
>
> On Tue, Apr 12, 2011 at 12:03 AM, crocket <crockabisc...@gmail.com> wrote:
>> How do I enable it via autoconf?
>>
>> On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
>>> Usually, using cap should be enabled/disabled via autoconf.
>>>
>>> On Mon, Apr 11, 2011 at 11:23 PM, crocket <crockabisc...@gmail.com> wrote:
>>>>
>>>> diff -Naur a/init.c b/init.c
>>>> --- a/init.c 2010-11-05 04:29:02.000000000 +0900
>>>> +++ b/init.c 2011-04-12 05:11:43.540370471 +0900
>>>> @@ -41,6 +41,10 @@
>>>>
>>>> #include "occ-inline.h"
>>>>
>>>> +#ifdef TARGET_LINUX
>>>> +#include <sys/prctl.h>
>>>> +#endif
>>>> +
>>>> static struct context *static_context; /* GLOBAL */
>>>>
>>>> /*
>>>> @@ -904,6 +908,10 @@
>>>> if (no_delay)
>>>> {
>>>> set_group (&c0->group_state);
>>>> +#ifdef TARGET_LINUX
>>>> + if(prctl(PR_SET_KEEPCAPS, 1) < 0)
>>>> + msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
>>>> +#endif
>>>> set_user (&c0->user_state);
>>>> c0->uid_gid_set = true;
>>>> }
>>>>
>>>> The patch is above.
>>>> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK
>>>> capability.
>>>> I found out that it was because OpenVPN invoked setuid and setuid
>>>> erased POSIX capabilities.
>>>> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
>>>> invocation.
>>>>
>>>> Thanks in advance for considering this patch.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>>> part of an in-depth evaluation of disaster recovery service providers.
>>>> Forrester found the best-in-class provider in terms of services and vision.
>>>> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
>>>> _______________________________________________
>>>> Openvpn-devel mailing list
>>>> Openvpn-devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>>
>>
>
