Attachment #787723 for bug #1111564

View | Details | Raw Unified | Return to bug 1111564
Collapse All | Expand All

Lines 179-184 PAM_LINK = -lpam Link Here

(-)a/Makefile.am (+5 lines)
179	KERBEROS_LINK = $(kerberos_lib)	179	KERBEROS_LINK = $(kerberos_lib)
180	EVENT_LINK = @event_lib@	180	EVENT_LINK = @event_lib@
181	PW_CRACK_LINK = -lcrack	181	PW_CRACK_LINK = -lcrack
		182	LIBCAP_LINK = @libcap_lib@
182		183
183	LIBSOCKET=@LIBSOCKET@	184	LIBSOCKET=@LIBSOCKET@
184	LIBNSL=@LIBNSL@	185	LIBNSL=@LIBNSL@
Lines 2108-2113 else Link Here
2108	ns_slapd_LINK = $(LINK)	2109	ns_slapd_LINK = $(LINK)
2109	endif	2110	endif
2110		2111
		2112	if LINUX
		2113	ns_slapd_LDADD += $(LIBCAP_LINK)
		2114	endif
		2115
2111	#------------------------	2116	#------------------------
2112	# pwdhash	2117	# pwdhash
2113	#------------------------	2118	#------------------------

Lines 829-834 AC_SUBST(initconfigdir) Link Here

(-)a/configure.ac (+2 lines)
829	# Conditionals for makefile.am	829	# Conditionals for makefile.am
830	AM_CONDITIONAL([ATOMIC_QUEUE_OPERATIONS], [test "$with_atomic_queue" = "yes"])	830	AM_CONDITIONAL([ATOMIC_QUEUE_OPERATIONS], [test "$with_atomic_queue" = "yes"])
831	AM_CONDITIONAL([HPUX],[test "$platform" = "hpux"])	831	AM_CONDITIONAL([HPUX],[test "$platform" = "hpux"])
		832	AM_CONDITIONAL([LINUX],[test "$platform" = "linux"])
832	AM_CONDITIONAL([SOLARIS],[test "$platform" = "solaris"])	833	AM_CONDITIONAL([SOLARIS],[test "$platform" = "solaris"])
833	AM_CONDITIONAL([FREEBSD],[test "$platform" = "freebsd"])	834	AM_CONDITIONAL([FREEBSD],[test "$platform" = "freebsd"])
834	AM_CONDITIONAL([SPARC],[test "x$TARGET" = xSPARC])	835	AM_CONDITIONAL([SPARC],[test "x$TARGET" = xSPARC])
Lines 849-854 m4_include(m4/selinux.m4) Link Here
849	m4_include(m4/systemd.m4)	850	m4_include(m4/systemd.m4)
850	m4_include(m4/cmocka.m4)	851	m4_include(m4/cmocka.m4)
851	m4_include(m4/doxygen.m4)	852	m4_include(m4/doxygen.m4)
		853	m4_include(m4/libcap.m4)
852		854
853	PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION \| awk -F\. '{print $1"."$2}'`	855	PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION \| awk -F\. '{print $1"."$2}'`
854	AC_SUBST(PACKAGE_BASE_VERSION)	856	AC_SUBST(PACKAGE_BASE_VERSION)

Lines 50-55 union semun Link Here

(-)a/ldap/servers/slapd/main.c (+59 lines)
50	#include <sys/utsname.h>	50	#include <sys/utsname.h>
51	#include <sys/systeminfo.h>	51	#include <sys/systeminfo.h>
52	#endif	52	#endif
		53	#if defined(LINUX)
		54	#include <sys/capability.h>
		55	#endif
53	#include "slap.h"	56	#include "slap.h"
54	#include "slapi-plugin.h"	57	#include "slapi-plugin.h"
55	#include "prinit.h"	58	#include "prinit.h"
Lines 366-371 fix_ownership(void) Link Here
366	}	369	}
367	}	370	}
368		371
		372	#ifdef LINUX
		373	/*
		374	* Drops the CAP_NET_BIND_SERVICE capability
		375	*/
		376	static int
		377	main_drop_caps()
		378	{
		379	cap_t caps;
		380	const cap_value_t cap_list[1] = { CAP_NET_BIND_SERVICE };
		381	caps = cap_get_proc();
		382	if (caps == NULL) {
		383	int oserr = errno;
		384	slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_get_proc() == NULL, error %d (%s)\n",
		385	oserr, slapd_system_strerror(oserr));
		386	return -1;
		387	}
		388
		389	if (
		390	cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1 \|\|
		391	cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1 \|\|
		392	cap_set_flag(caps, CAP_INHERITABLE, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1) {
		393	int oserr = errno;
		394	slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_set_flag() == -1, error %d (%s)\n",
		395	oserr, slapd_system_strerror(oserr));
		396	return -1;
		397	}
		398
		399	if (cap_set_proc(caps) == -1) {
		400	int oserr = errno;
		401	slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_set_proc() == -1, error %d (%s)\n",
		402	oserr, slapd_system_strerror(oserr));
		403	return -1;
		404	}
		405
		406	if (cap_free(caps) == -1) {
		407	int oserr = errno;
		408	slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_free() == -1, error %d (%s)\n",
		409	oserr, slapd_system_strerror(oserr));
		410	return -1;
		411	}
		412
		413	return 0;
		414	}
		415	#endif
		416
369	/* Changes identity to the named user	417	/* Changes identity to the named user
370	* If username == NULL, does nothing.	418	* If username == NULL, does nothing.
371	* Does nothing on NT regardless.	419	* Does nothing on NT regardless.
Lines 373-378 fix_ownership(void) Link Here
373	static int	421	static int
374	main_setuid(char *username)	422	main_setuid(char *username)
375	{	423	{
		424	#ifdef LINUX
		425	if( geteuid() != 0 )
		426	{
		427	/*
		428	* Port binding must have happened using capabilities. So skip the
		429	* priv drop below and drop the CAP_NET_BIND_SERVICE capability instead
		430	*/
		431	return main_drop_caps();
		432	}
		433	#endif
		434
376	if (username != NULL) {	435	if (username != NULL) {
377	struct passwd *pw;	436	struct passwd *pw;
378	/* Make sure everything in the log and config directory	437	/* Make sure everything in the log and config directory




# BEGIN COPYRIGHT BLOCK
# Copyright (C) 2015  Red Hat
# see files 'COPYING' and 'COPYING.openssl' for use and warranty
# information
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
# 
# Additional permission under GPLv3 section 7:
# 
# If you modify this Program, or any covered work, by linking or
# combining it with OpenSSL, or a modified version of OpenSSL licensed
# under the OpenSSL license
# (https://www.openssl.org/source/license.html), the licensors of this
# Program grant you additional permission to convey the resulting
# work. Corresponding Source for a non-source form of such a
# combination shall include the source code for the parts that are
# licensed under the OpenSSL license as well as that of the covered
# work.
# END COPYRIGHT BLOCK
AC_CHECKING(for libcap)

AC_MSG_CHECKING(for libcap with pkg-config)
if test -n "$PKG_CONFIG"; then
    if $PKG_CONFIG --exists libcap; then
        libcap_inc=`$PKG_CONFIG --cflags libcap`
        libcap_lib=`$PKG_CONFIG --libs libcap`
        AC_MSG_RESULT([using system libcap])
        AC_SUBST(libcap_inc)
        AC_SUBST(libcap_lib)
    else
        AC_MSG_ERROR([libcap not found])
    fi
fi

Return to bug 1111564

Line 0 Link Here

(-)a/m4/libcap.m4 (-1 / +44 lines)
0	-	1	# BEGIN COPYRIGHT BLOCK
		2	# Copyright (C) 2015 Red Hat
		3	# see files 'COPYING' and 'COPYING.openssl' for use and warranty
		4	# information
		5	#
		6	# This program is free software; you can redistribute it and/or modify
		7	# it under the terms of the GNU General Public License as published by
		8	# the Free Software Foundation, either version 3 of the License, or
		9	# (at your option) any later version.
		10	#
		11	# This program is distributed in the hope that it will be useful,
		12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	# GNU General Public License for more details.
		15	#
		16	# You should have received a copy of the GNU General Public License
		17	# along with this program. If not, see <http://www.gnu.org/licenses/>.
		18	#
		19	# Additional permission under GPLv3 section 7:
		20	#
		21	# If you modify this Program, or any covered work, by linking or
		22	# combining it with OpenSSL, or a modified version of OpenSSL licensed
		23	# under the OpenSSL license
		24	# (https://www.openssl.org/source/license.html), the licensors of this
		25	# Program grant you additional permission to convey the resulting
		26	# work. Corresponding Source for a non-source form of such a
		27	# combination shall include the source code for the parts that are
		28	# licensed under the OpenSSL license as well as that of the covered
		29	# work.
		30	# END COPYRIGHT BLOCK
		31	AC_CHECKING(for libcap)
		32
		33	AC_MSG_CHECKING(for libcap with pkg-config)
		34	if test -n "$PKG_CONFIG"; then
		35	if $PKG_CONFIG --exists libcap; then
		36	libcap_inc=`$PKG_CONFIG --cflags libcap`
		37	libcap_lib=`$PKG_CONFIG --libs libcap`
		38	AC_MSG_RESULT([using system libcap])
		39	AC_SUBST(libcap_inc)
		40	AC_SUBST(libcap_lib)
		41	else
		42	AC_MSG_ERROR([libcap not found])
		43	fi
		44	fi