priv: always request CAP_FOWNER

While setting ifalias has some additional checks to ensure we can do
that with CAP_NET_ADMIN, we also need CAP_FOWNER to pass the sysfs
owner check. And we have to have both as the other test still needs to
pass.

diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
index 874bc6114b2a555fac8c866c8775d75148f4bdc8..1914569cb6104bc7cc8dc132a4dc18adae6e286b 100644 (file)
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -1825,15 +1825,9 @@ lldpd_main(int argc, char *argv[], char *envp[])
 
        log_debug("main", "initialize privilege separation");
 #ifdef ENABLE_PRIVSEP
-       priv_init(PRIVSEP_CHROOT, ctl, uid, gid,
-#ifdef USE_SNMP
-           snmp && ((agentx ? agentx : agent_default_agentx_socket())[0] == '/')
-#else
-           0
-#endif
-       );
+       priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
 #else
-       priv_init(PRIVSEP_CHROOT, ctl, 0, 0, 0);
+       priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
 #endif
 
        /* Initialization of global configuration */

diff --git a/src/daemon/lldpd.h b/src/daemon/lldpd.h
index a0838c6b7233ec710878f9f08ac31402a7c98122..5d99faab6aefd5b6ae18da874e6d9c22cd7b3160 100644 (file)
--- a/src/daemon/lldpd.h
+++ b/src/daemon/lldpd.h
@@ -191,7 +191,7 @@ client_handle_client(struct lldpd *cfg,
     int*);
 
 /* priv.c */
-void    priv_init(const char*, int, uid_t, gid_t, int);
+void    priv_init(const char*, int, uid_t, gid_t);
 void    priv_wait(void);
 void    priv_ctl_cleanup(const char *ctlname);
 char           *priv_gethostname(void);

diff --git a/src/daemon/priv.c b/src/daemon/priv.c
index a9b0f60981f20176973cf7a825e2e255312bd8b4..96a40729bf255faa4c6119a73459b8cea5aee488 100644 (file)
--- a/src/daemon/priv.c
+++ b/src/daemon/priv.c
@@ -625,20 +625,15 @@ priv_drop(uid_t uid, gid_t gid)
 }
 
 void
-priv_caps(uid_t uid, gid_t gid, int fowner)
+priv_caps(uid_t uid, gid_t gid)
 {
 #ifdef HAVE_LINUX_CAPABILITIES
        cap_t caps;
-       const char *caps_strings[2];
-       if (fowner) {
-               log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege");
-               caps_strings[0] = "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe";
-               caps_strings[1] = "cap_fowner,cap_net_raw,cap_net_admin=pe";
-       } else {
-               log_debug("privsep", "getting CAP_NET_RAW/ADMIN privilege");
-               caps_strings[0] = "cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe";
-               caps_strings[1] = "cap_net_raw,cap_net_admin=pe";
-       }
+       const char *caps_strings[2] = {
+               "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe",
+               "cap_fowner,cap_net_raw,cap_net_admin=pe"
+       };
+       log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege");
        if (!(caps = cap_from_text(caps_strings[0])))
                fatal("privsep", "unable to convert caps");
        if (cap_set_proc(caps) == -1) {
@@ -664,7 +659,7 @@ priv_caps(uid_t uid, gid_t gid, int fowner)
 }
 
 void
-priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid, int fowner)
+priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid)
 {
 
        int pair[2];
@@ -705,7 +700,7 @@ priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid, int fowner)
                if (atexit(priv_exit) != 0)
                        fatal("privsep", "unable to set exit function");
 
-               priv_caps(uid, gid, fowner);
+               priv_caps(uid, gid);
 
                /* Install signal handlers */
                const struct sigaction pass_to_child = {