From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 2 Nov 2018 15:11:06 +0000 (+0100)
Subject: rec: Drop remaining capabilities after startup
X-Git-Tag: rec-4.2.0-alpha1~58^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f2b341eb3371e0209c85276b442b58be75480b3;p=thirdparty%2Fpdns.git

rec: Drop remaining capabilities after startup
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 622cc2b83e..83a0548d3c 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -3768,6 +3768,16 @@ static int serviceMain(int argc, char*argv[])
   makeControlChannelSocket( ::arg().asNum("processes") > 1 ? forks : -1);
 
   Utility::dropUserPrivs(newuid);
+  try {
+    /* we might still have capabilities remaining, for example if we have been started as root
+       without --setuid (please don't do that) or as an unprivileged user with ambient capabilities
+       like CAP_NET_BIND_SERVICE.
+    */
+    dropCapabilities();
+  }
+  catch(const std::exception& e) {
+    g_log<<Logger::Warning<<e.what()<<endl;
+  }
 
   startLuaConfigDelayedThreads(delayedLuaThreads, g_luaconfs.getCopy().generation);
 
diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index f3ae8afe2a..04b1019ffa 100644
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -1,7 +1,7 @@
 JSON11_LIBS = $(top_srcdir)/ext/json11/libjson11.la
 PROBDS_LIBS = $(top_srcdir)/ext/probds/libprobds.la
 
-AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(LIBSODIUM_CFLAGS) $(NET_SNMP_CFLAGS) $(SANITIZER_FLAGS) -O3 -Wall -pthread -DSYSCONFDIR=\"${sysconfdir}\" $(SYSTEMD_CFLAGS)
+AM_CPPFLAGS = $(LUA_CFLAGS) $(YAHTTP_CFLAGS) $(BOOST_CPPFLAGS) $(LIBSODIUM_CFLAGS) $(NET_SNMP_CFLAGS) $(LIBCAP_CFLAGS) $(SANITIZER_FLAGS) -O3 -Wall -pthread -DSYSCONFDIR=\"${sysconfdir}\" $(SYSTEMD_CFLAGS)
 
 AM_CPPFLAGS += \
 	-I$(top_srcdir)/ext/json11 \
@@ -189,7 +189,8 @@ pdns_recursor_LDADD = \
 	$(SYSTEMD_LIBS) \
 	$(RT_LIBS) \
 	$(BOOST_SYSTEM_LIBS) \
-	$(PROBDS_LIBS)
+	$(PROBDS_LIBS) \
+	$(LIBCAP_LIBS)
 
 pdns_recursor_LDFLAGS = $(AM_LDFLAGS) \
 	$(LIBCRYPTO_LDFLAGS) $(BOOST_CONTEXT_LDFLAGS) \
@@ -290,7 +291,8 @@ testrunner_LDADD = \
 	$(LIBCRYPTO_LIBS) \
 	$(RT_LIBS) \
 	$(BOOST_SYSTEM_LIBS) \
-	$(PROBDS_LIBS)
+	$(PROBDS_LIBS) \
+	$(LIBCAP_LIBS)
 
 if NOD_ENABLED
 testrunner_SOURCES +=   nod.hh nod.cc \
@@ -370,6 +372,9 @@ rec_control_SOURCES = \
 	rec_control.cc \
 	unix_utility.cc
 
+rec_control_LDADD = \
+	$(LIBCAP_LIBS)
+
 dnslabeltext.cc: dnslabeltext.rl
 	$(AM_V_GEN)$(RAGEL) $< -o dnslabeltext.cc
 
diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac
index e3fa94b131..d3ceb2b2e7 100644
--- a/pdns/recursordist/configure.ac
+++ b/pdns/recursordist/configure.ac
@@ -121,6 +121,7 @@ PDNS_CHECK_LIBCRYPTO_ECDSA
 PDNS_CHECK_LIBCRYPTO_EDDSA
 PDNS_WITH_LIBSODIUM
 PDNS_WITH_LIBDECAF
+PDNS_WITH_LIBCAP
 
 PDNS_WITH_NET_SNMP
 
diff --git a/pdns/recursordist/m4/pdns_with_libcap.m4 b/pdns/recursordist/m4/pdns_with_libcap.m4
new file mode 120000
index 0000000000..bf9aef73ac
--- /dev/null
+++ b/pdns/recursordist/m4/pdns_with_libcap.m4
@@ -0,0 +1 @@
+../../../m4/pdns_with_libcap.m4
\ No newline at end of file