From 4c2bce95802f47383f6f57245a447183da4de7c9 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 30 Aug 2013 21:25:47 +0200
Subject: [PATCH 8/8] daemon: improve capabilities dropping
This fixes issues in the usage of libcap-ng to drop capabilities:
- capng_change_id() already applies the selected capabilities. Calling
capng_apply() afterwards is pointless.
- In order to apply the bounding set, CAPNG_CLEAR_BOUNDING must therefore
be passed to capng_change_id(). Might as well add CAPNG_DROP_SUPP_GRP
to drop any supplementary groups.
- The return value of capng_change_id() must be checked to prevent
continuing to run with unwanted capabilities in case of an error.
I have checked that with this patch applied iceccd runs with a bounding
set defined (pscap does not show the '+' sign anymore).
---
daemon/main.cpp | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/daemon/main.cpp b/daemon/main.cpp
index 387d4e2..34ad342 100644
--- a/daemon/main.cpp
+++ b/daemon/main.cpp
@@ -1803,9 +1803,13 @@ int main( int argc, char ** argv )
#ifdef HAVE_LIBCAP_NG
capng_clear(CAPNG_SELECT_BOTH);
- capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
- capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
- capng_apply(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_CHROOT);
+ int r = capng_change_id(d.user_uid, d.user_gid,
+ (capng_flags_t)(CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING));
+ if (r) {
+ log_error() << "Error: capng_change_id failed: " << r << endl;
+ exit(EXIT_SETUID_FAILED);
+ }
#endif
} else {
d.noremote = true;
--
1.8.3.1