Bugzilla – Attachment 787723 Details for
Bug 1111564
AUDIT-0: 389-ds: now uses fscaps.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
patch that implements a capability drop
0001-When-using-CAP_NET_BIND_SERVICE-on-Linux-drop-this-c.patch (text/plain), 6.55 KB, created by
Matthias Gerstner
on 2018-10-30 11:49:54 UTC
(
hide
)
Description:
patch that implements a capability drop
Filename:
MIME Type:
Creator:
Matthias Gerstner
Created:
2018-10-30 11:49:54 UTC
Size:
6.55 KB
patch
obsolete
>From 8444330201fcfc49d59eb31ef2f23284cccb718d Mon Sep 17 00:00:00 2001 >From: Matthias Gerstner <matthias.gerstner@suse.de> >Date: Tue, 30 Oct 2018 11:18:59 +0100 >Subject: [PATCH] When using CAP_NET_BIND_SERVICE on Linux, drop this cap after > binding > >This change makes the code aware of capability usage on Linux. If socket >binding succeeded without effective uid == 0 then we have the capability >set. Instead of dropping user privileges we need to drop the bind >capability instead in this case. >--- > Makefile.am | 5 ++++ > configure.ac | 2 ++ > ldap/servers/slapd/main.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++ > m4/libcap.m4 | 44 +++++++++++++++++++++++++++++++++++ > 4 files changed, 110 insertions(+) > create mode 100644 m4/libcap.m4 > >diff --git a/Makefile.am b/Makefile.am >index 417febc78..a0e01566e 100644 >--- a/Makefile.am >+++ b/Makefile.am >@@ -179,6 +179,7 @@ PAM_LINK = -lpam > KERBEROS_LINK = $(kerberos_lib) > EVENT_LINK = @event_lib@ > PW_CRACK_LINK = -lcrack >+LIBCAP_LINK = @libcap_lib@ > > LIBSOCKET=@LIBSOCKET@ > LIBNSL=@LIBNSL@ >@@ -2108,6 +2109,10 @@ else > ns_slapd_LINK = $(LINK) > endif > >+if LINUX >+ns_slapd_LDADD += $(LIBCAP_LINK) >+endif >+ > #------------------------ > # pwdhash > #------------------------ >diff --git a/configure.ac b/configure.ac >index 7b67e0db2..92d75733a 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -829,6 +829,7 @@ AC_SUBST(initconfigdir) > # Conditionals for makefile.am > AM_CONDITIONAL([ATOMIC_QUEUE_OPERATIONS], [test "$with_atomic_queue" = "yes"]) > AM_CONDITIONAL([HPUX],[test "$platform" = "hpux"]) >+AM_CONDITIONAL([LINUX],[test "$platform" = "linux"]) > AM_CONDITIONAL([SOLARIS],[test "$platform" = "solaris"]) > AM_CONDITIONAL([FREEBSD],[test "$platform" = "freebsd"]) > AM_CONDITIONAL([SPARC],[test "x$TARGET" = xSPARC]) >@@ -849,6 +850,7 @@ m4_include(m4/selinux.m4) > m4_include(m4/systemd.m4) > m4_include(m4/cmocka.m4) > m4_include(m4/doxygen.m4) >+m4_include(m4/libcap.m4) > > PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` > AC_SUBST(PACKAGE_BASE_VERSION) >diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c >index d175dcdc2..fffa7a35f 100644 >--- a/ldap/servers/slapd/main.c >+++ b/ldap/servers/slapd/main.c >@@ -50,6 +50,9 @@ union semun > #include <sys/utsname.h> > #include <sys/systeminfo.h> > #endif >+#if defined(LINUX) >+#include <sys/capability.h> >+#endif > #include "slap.h" > #include "slapi-plugin.h" > #include "prinit.h" >@@ -366,6 +369,51 @@ fix_ownership(void) > } > } > >+#ifdef LINUX >+/* >+ * Drops the CAP_NET_BIND_SERVICE capability >+ */ >+static int >+main_drop_caps() >+{ >+ cap_t caps; >+ const cap_value_t cap_list[1] = { CAP_NET_BIND_SERVICE }; >+ caps = cap_get_proc(); >+ if (caps == NULL) { >+ int oserr = errno; >+ slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_get_proc() == NULL, error %d (%s)\n", >+ oserr, slapd_system_strerror(oserr)); >+ return -1; >+ } >+ >+ if ( >+ cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1 || >+ cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1 || >+ cap_set_flag(caps, CAP_INHERITABLE, sizeof(cap_list) / sizeof(cap_value_t), cap_list, CAP_SET) == -1) { >+ int oserr = errno; >+ slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_set_flag() == -1, error %d (%s)\n", >+ oserr, slapd_system_strerror(oserr)); >+ return -1; >+ } >+ >+ if (cap_set_proc(caps) == -1) { >+ int oserr = errno; >+ slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_set_proc() == -1, error %d (%s)\n", >+ oserr, slapd_system_strerror(oserr)); >+ return -1; >+ } >+ >+ if (cap_free(caps) == -1) { >+ int oserr = errno; >+ slapi_log_err(SLAPI_LOG_ERR, "main_setuid", "cap_free() == -1, error %d (%s)\n", >+ oserr, slapd_system_strerror(oserr)); >+ return -1; >+ } >+ >+ return 0; >+} >+#endif >+ > /* Changes identity to the named user > * If username == NULL, does nothing. > * Does nothing on NT regardless. >@@ -373,6 +421,17 @@ fix_ownership(void) > static int > main_setuid(char *username) > { >+#ifdef LINUX >+ if( geteuid() != 0 ) >+ { >+ /* >+ * Port binding must have happened using capabilities. So skip the >+ * priv drop below and drop the CAP_NET_BIND_SERVICE capability instead >+ */ >+ return main_drop_caps(); >+ } >+#endif >+ > if (username != NULL) { > struct passwd *pw; > /* Make sure everything in the log and config directory >diff --git a/m4/libcap.m4 b/m4/libcap.m4 >new file mode 100644 >index 000000000..42863db1f >--- /dev/null >+++ b/m4/libcap.m4 >@@ -0,0 +1,44 @@ >+# BEGIN COPYRIGHT BLOCK >+# Copyright (C) 2015 Red Hat >+# see files 'COPYING' and 'COPYING.openssl' for use and warranty >+# information >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation, either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+# Additional permission under GPLv3 section 7: >+# >+# If you modify this Program, or any covered work, by linking or >+# combining it with OpenSSL, or a modified version of OpenSSL licensed >+# under the OpenSSL license >+# (https://www.openssl.org/source/license.html), the licensors of this >+# Program grant you additional permission to convey the resulting >+# work. Corresponding Source for a non-source form of such a >+# combination shall include the source code for the parts that are >+# licensed under the OpenSSL license as well as that of the covered >+# work. >+# END COPYRIGHT BLOCK >+AC_CHECKING(for libcap) >+ >+AC_MSG_CHECKING(for libcap with pkg-config) >+if test -n "$PKG_CONFIG"; then >+ if $PKG_CONFIG --exists libcap; then >+ libcap_inc=`$PKG_CONFIG --cflags libcap` >+ libcap_lib=`$PKG_CONFIG --libs libcap` >+ AC_MSG_RESULT([using system libcap]) >+ AC_SUBST(libcap_inc) >+ AC_SUBST(libcap_lib) >+ else >+ AC_MSG_ERROR([libcap not found]) >+ fi >+fi >-- >2.16.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=787723">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 1111564
: 787723