[Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

2011-04-11 Thread crocket 
diff -Naur a/init.c b/init.c
--- a/init.c2010-11-05 04:29:02.0 +0900
+++ b/init.c2011-04-12 05:11:43.540370471 +0900
@@ -41,6 +41,10 @@

 #include "occ-inline.h"

+#ifdef TARGET_LINUX
+#include 
+#endif
+
 static struct context *static_context; /* GLOBAL */

 /*
@@ -904,6 +908,10 @@
   if (no_delay)
{
  set_group (&c0->group_state);
+#ifdef TARGET_LINUX
+ if(prctl(PR_SET_KEEPCAPS, 1) < 0)
+   msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
+#endif
  set_user (&c0->user_state);
  c0->uid_gid_set = true;
}

The patch is above.
I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
I found out that it was because OpenVPN invoked setuid and setuid
erased POSIX capabilities.
prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
invocation.

Thanks in advance for considering this patch.

Re: [Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

2011-04-11 Thread Alon Bar-Lev 
Usually, using cap should be enabled/disabled via autoconf.

On Mon, Apr 11, 2011 at 11:23 PM, crocket  wrote:
>
> diff -Naur a/init.c b/init.c
> --- a/init.c    2010-11-05 04:29:02.0 +0900
> +++ b/init.c    2011-04-12 05:11:43.540370471 +0900
> @@ -41,6 +41,10 @@
>
>  #include "occ-inline.h"
>
> +#ifdef TARGET_LINUX
> +#include 
> +#endif
> +
>  static struct context *static_context; /* GLOBAL */
>
>  /*
> @@ -904,6 +908,10 @@
>       if (no_delay)
>        {
>          set_group (&c0->group_state);
> +#ifdef TARGET_LINUX
> +         if(prctl(PR_SET_KEEPCAPS, 1) < 0)
> +           msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
> +#endif
>          set_user (&c0->user_state);
>          c0->uid_gid_set = true;
>        }
>
> The patch is above.
> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
> I found out that it was because OpenVPN invoked setuid and setuid
> erased POSIX capabilities.
> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
> invocation.
>
> Thanks in advance for considering this patch.
>
> --
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

2011-04-11 Thread crocket 
How do I enable it via autoconf?

On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev  wrote:
> Usually, using cap should be enabled/disabled via autoconf.
>
> On Mon, Apr 11, 2011 at 11:23 PM, crocket  wrote:
>>
>> diff -Naur a/init.c b/init.c
>> --- a/init.c    2010-11-05 04:29:02.0 +0900
>> +++ b/init.c    2011-04-12 05:11:43.540370471 +0900
>> @@ -41,6 +41,10 @@
>>
>>  #include "occ-inline.h"
>>
>> +#ifdef TARGET_LINUX
>> +#include 
>> +#endif
>> +
>>  static struct context *static_context; /* GLOBAL */
>>
>>  /*
>> @@ -904,6 +908,10 @@
>>       if (no_delay)
>>        {
>>          set_group (&c0->group_state);
>> +#ifdef TARGET_LINUX
>> +         if(prctl(PR_SET_KEEPCAPS, 1) < 0)
>> +           msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
>> +#endif
>>          set_user (&c0->user_state);
>>          c0->uid_gid_set = true;
>>        }
>>
>> The patch is above.
>> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
>> I found out that it was because OpenVPN invoked setuid and setuid
>> erased POSIX capabilities.
>> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
>> invocation.
>>
>> Thanks in advance for considering this patch.
>>
>> --
>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>> part of an in-depth evaluation of disaster recovery service providers.
>> Forrester found the best-in-class provider in terms of services and vision.
>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>> ___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

2011-04-11 Thread Alon Bar-Lev 
Into configure.ac you add something like:
---
AC_ARG_ENABLE(
[capabilities],
[AS_HELP_STRING([--enable-capabilities],[enable Linux
capabilities @<:@disabled@:>@])],
,
[enable_capabilities="no"]
)
test "${enable_capabilities}" = "yes" &&
AC_DEFINE([ENABLE_CAPABILITIES], [1], [enable Linux capabilities])
---

Then in source you test for:
#ifdef ENABLE_CAPABILITIES

Alon.


On Tue, Apr 12, 2011 at 12:03 AM, crocket  wrote:
> How do I enable it via autoconf?
>
> On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev  wrote:
>> Usually, using cap should be enabled/disabled via autoconf.
>>
>> On Mon, Apr 11, 2011 at 11:23 PM, crocket  wrote:
>>>
>>> diff -Naur a/init.c b/init.c
>>> --- a/init.c    2010-11-05 04:29:02.0 +0900
>>> +++ b/init.c    2011-04-12 05:11:43.540370471 +0900
>>> @@ -41,6 +41,10 @@
>>>
>>>  #include "occ-inline.h"
>>>
>>> +#ifdef TARGET_LINUX
>>> +#include 
>>> +#endif
>>> +
>>>  static struct context *static_context; /* GLOBAL */
>>>
>>>  /*
>>> @@ -904,6 +908,10 @@
>>>       if (no_delay)
>>>        {
>>>          set_group (&c0->group_state);
>>> +#ifdef TARGET_LINUX
>>> +         if(prctl(PR_SET_KEEPCAPS, 1) < 0)
>>> +           msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
>>> +#endif
>>>          set_user (&c0->user_state);
>>>          c0->uid_gid_set = true;
>>>        }
>>>
>>> The patch is above.
>>> I had been investigating why OpenVPN refused to use CAP_IPC_LOCK capability.
>>> I found out that it was because OpenVPN invoked setuid and setuid
>>> erased POSIX capabilities.
>>> prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
>>> invocation.
>>>
>>> Thanks in advance for considering this patch.
>>>
>>> --
>>> Forrester Wave Report - Recovery time is now measured in hours and minutes
>>> not days. Key insights are discussed in the 2010 Forrester Wave Report as
>>> part of an in-depth evaluation of disaster recovery service providers.
>>> Forrester found the best-in-class provider in terms of services and vision.
>>> Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
>>> ___
>>> Openvpn-devel mailing list
>>> Openvpn-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>

Re: [Openvpn-devel] I made a patch that prevents POSIX capabilities from disappearing during UID downgrade.

2011-04-11 Thread crocket 
Why don't you submit a patch for this?
Although my patch doesn't seem to make OpenVPN retain linux
capabilities during UID downgrade, if you made a patch that includes
my patch, linux people would appreciate it.

On Tue, Apr 12, 2011 at 6:28 AM, Alon Bar-Lev  wrote:
> Into configure.ac you add something like:
> ---
> AC_ARG_ENABLE(
>        [capabilities],
>        [AS_HELP_STRING([--enable-capabilities],[enable Linux
> capabilities @<:@disabled@:>@])],
>        ,
>        [enable_capabilities="no"]
> )
> test "${enable_capabilities}" = "yes" &&
> AC_DEFINE([ENABLE_CAPABILITIES], [1], [enable Linux capabilities])
> ---
>
> Then in source you test for:
> #ifdef ENABLE_CAPABILITIES
>
> Alon.
>
>
> On Tue, Apr 12, 2011 at 12:03 AM, crocket  wrote:
>> How do I enable it via autoconf?
>>
>> On Tue, Apr 12, 2011 at 5:37 AM, Alon Bar-Lev  wrote:
>>> Usually, using cap should be enabled/disabled via autoconf.
>>>
>>> On Mon, Apr 11, 2011 at 11:23 PM, crocket  wrote:

 diff -Naur a/init.c b/init.c
 --- a/init.c    2010-11-05 04:29:02.0 +0900
 +++ b/init.c    2011-04-12 05:11:43.540370471 +0900
 @@ -41,6 +41,10 @@

  #include "occ-inline.h"

 +#ifdef TARGET_LINUX
 +#include 
 +#endif
 +
  static struct context *static_context; /* GLOBAL */

  /*
 @@ -904,6 +908,10 @@
       if (no_delay)
        {
          set_group (&c0->group_state);
 +#ifdef TARGET_LINUX
 +         if(prctl(PR_SET_KEEPCAPS, 1) < 0)
 +           msg (M_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
 +#endif
          set_user (&c0->user_state);
          c0->uid_gid_set = true;
        }

 The patch is above.
 I had been investigating why OpenVPN refused to use CAP_IPC_LOCK 
 capability.
 I found out that it was because OpenVPN invoked setuid and setuid
 erased POSIX capabilities.
 prctl(PR_SET_KEEPCAPS, 1) lets OpenVPN keep capabilities after setuid
 invocation.

 Thanks in advance for considering this patch.

 --
 Forrester Wave Report - Recovery time is now measured in hours and minutes
 not days. Key insights are discussed in the 2010 Forrester Wave Report as
 part of an in-depth evaluation of disaster recovery service providers.
 Forrester found the best-in-class provider in terms of services and vision.
 Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo
 ___
 Openvpn-devel mailing list
 Openvpn-devel@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>>
>>
>