Don't drop capabilities too early

Dropping CAP_SETGID too early can cause setresuid() to fail on some
platforms.

Seen when running `freeradius -XC` on Debian platforms.

diff --git a/src/lib/server/main_config.c b/src/lib/server/main_config.c
index 5801922c7eb276eb65272bb677593005bab1247e..df29ef603a4afdce6287a38fce8a14cad0b6f2de 100644 (file)
--- a/src/lib/server/main_config.c
+++ b/src/lib/server/main_config.c
@@ -41,7 +41,6 @@ RCSID("$Id$")
 #include <freeradius-devel/util/hw.h>
 #include <freeradius-devel/util/perm.h>
 #include <freeradius-devel/util/sem.h>
-#include <freeradius-devel/util/cap.h>
 #include <freeradius-devel/util/pair_legacy.h>
 
 #include <freeradius-devel/unlang/xlat_func.h>
@@ -715,13 +714,6 @@ static int switch_users(main_config_t *config, CONF_SECTION *cs)
                                config->name, group->gr_name, fr_syserror(errno));
                        return -1;
                }
-
-               if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
-                   (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
-                   (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
-                       fprintf(stderr, "Failed disabling CAP_SGID - %s", fr_syserror(errno));
-                       return -1;
-               }
        }
 #endif
 

diff --git a/src/lib/server/util.c b/src/lib/server/util.c
index 5ea37206e7c405a7455e1a3cc951805f77b85f51..e97d5039c305e370b2cb9fec4d35381ec2edfbbe 100644 (file)
--- a/src/lib/server/util.c
+++ b/src/lib/server/util.c
@@ -814,6 +814,15 @@ void rad_suid_down_permanent(void)
                fr_exit_now(EXIT_FAILURE);
        }
 
+#ifdef HAVE_GRP_H
+       if ((fr_cap_disable(CAP_SETGID, CAP_EFFECTIVE) < 0) ||
+           (fr_cap_disable(CAP_SETGID, CAP_INHERITABLE) < 0) ||
+           (fr_cap_disable(CAP_SETGID, CAP_PERMITTED) < 0)) {
+               ERROR("Failed disabling CAP_SGID");
+               fr_exit_now(EXIT_FAILURE);
+       }
+#endif
+
        fr_reset_dumpable();
 
        suid_down_permanent = true;