From 83577a2b3b88f7526c56090c5701bbfe97fbc9eb Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sat, 16 Jun 2018 17:53:33 +0200 Subject: [PATCH] priv: always request CAP_FOWNER While setting ifalias has some additional checks to ensure we can do that with CAP_NET_ADMIN, we also need CAP_FOWNER to pass the sysfs owner check. And we have to have both as the other test still needs to pass. --- src/daemon/lldpd.c | 10 ++-------- src/daemon/lldpd.h | 2 +- src/daemon/priv.c | 21 ++++++++------------- 3 files changed, 11 insertions(+), 22 deletions(-) diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c index 874bc611..1914569c 100644 --- a/src/daemon/lldpd.c +++ b/src/daemon/lldpd.c @@ -1825,15 +1825,9 @@ lldpd_main(int argc, char *argv[], char *envp[]) log_debug("main", "initialize privilege separation"); #ifdef ENABLE_PRIVSEP - priv_init(PRIVSEP_CHROOT, ctl, uid, gid, -#ifdef USE_SNMP - snmp && ((agentx ? agentx : agent_default_agentx_socket())[0] == '/') -#else - 0 -#endif - ); + priv_init(PRIVSEP_CHROOT, ctl, uid, gid); #else - priv_init(PRIVSEP_CHROOT, ctl, 0, 0, 0); + priv_init(PRIVSEP_CHROOT, ctl, 0, 0); #endif /* Initialization of global configuration */ diff --git a/src/daemon/lldpd.h b/src/daemon/lldpd.h index a0838c6b..5d99faab 100644 --- a/src/daemon/lldpd.h +++ b/src/daemon/lldpd.h @@ -191,7 +191,7 @@ client_handle_client(struct lldpd *cfg, int*); /* priv.c */ -void priv_init(const char*, int, uid_t, gid_t, int); +void priv_init(const char*, int, uid_t, gid_t); void priv_wait(void); void priv_ctl_cleanup(const char *ctlname); char *priv_gethostname(void); diff --git a/src/daemon/priv.c b/src/daemon/priv.c index a9b0f609..96a40729 100644 --- a/src/daemon/priv.c +++ b/src/daemon/priv.c @@ -625,20 +625,15 @@ priv_drop(uid_t uid, gid_t gid) } void -priv_caps(uid_t uid, gid_t gid, int fowner) +priv_caps(uid_t uid, gid_t gid) { #ifdef HAVE_LINUX_CAPABILITIES cap_t caps; - const char *caps_strings[2]; - if (fowner) { - log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege"); - caps_strings[0] = "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe"; - caps_strings[1] = "cap_fowner,cap_net_raw,cap_net_admin=pe"; - } else { - log_debug("privsep", "getting CAP_NET_RAW/ADMIN privilege"); - caps_strings[0] = "cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe"; - caps_strings[1] = "cap_net_raw,cap_net_admin=pe"; - } + const char *caps_strings[2] = { + "cap_fowner,cap_net_raw,cap_net_admin,cap_setuid,cap_setgid=pe", + "cap_fowner,cap_net_raw,cap_net_admin=pe" + }; + log_debug("privsep", "getting CAP_NET_RAW/ADMIN and CAP_FOWNER privilege"); if (!(caps = cap_from_text(caps_strings[0]))) fatal("privsep", "unable to convert caps"); if (cap_set_proc(caps) == -1) { @@ -664,7 +659,7 @@ priv_caps(uid_t uid, gid_t gid, int fowner) } void -priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid, int fowner) +priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid) { int pair[2]; @@ -705,7 +700,7 @@ priv_init(const char *chrootdir, int ctl, uid_t uid, gid_t gid, int fowner) if (atexit(priv_exit) != 0) fatal("privsep", "unable to set exit function"); - priv_caps(uid, gid, fowner); + priv_caps(uid, gid); /* Install signal handlers */ const struct sigaction pass_to_child = { -- 2.39.2