#include <freeradius-devel/util/hw.h>
#include <freeradius-devel/util/perm.h>
#include <freeradius-devel/util/sem.h>
+#include <freeradius-devel/util/cap.h>
#include <freeradius-devel/util/pair_legacy.h>
#include <freeradius-devel/unlang/xlat_func.h>
config->name, group->gr_name, fr_syserror(errno));
return -1;
}
+
+ if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
+ (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
+ (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
+ fprintf(stderr, "Failed disabling CAP_SGID - %s", fr_syserror(errno));
+ return -1;
+ }
}
#endif
#include <freeradius-devel/util/base16.h>
#include <freeradius-devel/util/skip.h>
#include <freeradius-devel/util/perm.h>
+#include <freeradius-devel/util/cap.h>
#include <fcntl.h>
fr_exit_now(EXIT_FAILURE);
}
+ /*
+ * Shut down most of the interesting things which might get abused.
+ */
+ if ((fr_cap_disable(CAP_SETUID, CAP_EFFECTIVE) < 0) ||
+ (fr_cap_disable(CAP_SETUID, CAP_INHERITABLE) < 0) ||
+ (fr_cap_disable(CAP_SETUID, CAP_PERMITTED) < 0)) {
+ ERROR("Failed disabling CAP_SUID");
+ fr_exit_now(EXIT_FAILURE);
+ }
+
fr_reset_dumpable();
suid_down_permanent = true;
int fr_cap_disable(cap_value_t cap, cap_flag_t set);
ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out);
+
+#else
+/*
+ * So we don't have ifdef's throughout the rest of the code.
+ */
+# define CAP_EFFECTIVE (0)
+# define CAP_INHERITABLE (0)
+# define CAP_PERMITTED (0)
+
+# define CAP_SETUID (0)
+# define CAP_SETGID (0)
+# define CAP_CHOWN (0)
+
+# define fr_cap_disable(_x, _y) (0)
+
#endif
#ifdef __cplusplus
projects / thirdparty / freeradius-server.git / commitdiff
