Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 99393 Details for
Bug 150845
app-admin/sysklogd: run without root privileges by default
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
sysklogd-1.4.1-cean-owl-klogd-drop-root-fix-capabilities.diff (text/plain), 1.57 KB, created by
Miguel Sousa Filipe
on 2006-10-11 18:10:14 UTC
(
hide
)
Description:
make drop-root/chroot of klogd work even on linux-hardened with capabilities enabled. (removed email to protect from email harvesting for spam)
Filename:
MIME Type:
Creator:
Miguel Sousa Filipe
Created:
2006-10-11 18:10:14 UTC
Size:
1.57 KB
patch
obsolete
>--- sysklogd-1.4.1/klogd.c.orig 2006-10-12 01:29:49.000000000 +0100 >+++ sysklogd-1.4.1/klogd.c 2006-10-12 01:32:58.000000000 +0100 >@@ -246,6 +246,9 @@ > * Thu Apr 29 15:24:07 2004: Solar Designer <solar@openwall.com> > * Prevent potential buffer overflow in reading messages from the > * kernel log rinbuffer. >+ * >+ * Thu Oct 12 00:12:02 2006: Miguel Filipe <miguel.filipe@gmail.com> >+ * fix drop_root() to work correctly with capabilities > */ > > >@@ -263,6 +266,8 @@ > #include <stdlib.h> > #include <pwd.h> > #include <grp.h> >+#include <sys/prctl.h> >+#include <sys/capability.h> > #include "klogd.h" > #include "ksyms.h" > #ifndef TESTING >@@ -989,6 +994,9 @@ > static int drop_root(void) > { > struct passwd *pw; >+ cap_t cap; >+ cap_value_t cap_value[2] = { CAP_SYS_ADMIN, CAP_SYS_CHROOT }; >+ int result; > > if (!(pw = getpwnam(server_user))) return -1; > >@@ -999,10 +1007,36 @@ > if (chdir("/")) return -1; > } > >+ /* set keep capabilities */ >+ if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) >+ return -1; >+ >+ /* test whether cap_set_proc works */ >+ cap = cap_get_proc(); >+ if( cap ) { >+ result = cap_set_proc( cap ); >+ cap_free( cap ); >+ if( result ) >+ return -1; >+ } else >+ return -1; >+ >+ > if (setgroups(0, NULL)) return -1; > if (setgid(pw->pw_gid)) return -1; > if (setuid(pw->pw_uid)) return -1; > >+ /* set necessary capabilities */ >+ cap = cap_init(); >+ if( cap_set_flag( cap, CAP_PERMITTED, 2, cap_value, CAP_SET ) || >+ cap_set_flag( cap, CAP_EFFECTIVE, 2, cap_value, CAP_SET ) ) >+ return -1; >+ >+ if( cap_set_proc( cap ) ) >+ return -1; >+ if( cap_free( cap ) ) >+ return -1; >+ > return 0; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=99393">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 150845
: 99393 |
99394
|
99395
|
99396
