DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s",
strerror(errno));
}
- ignore_result(fchown(fd,
- lib->caps->get_uid(lib->caps),
- lib->caps->get_gid(lib->caps)));
+ /* Only fchown() the pidfile if we have CAP_CHOWN. Otherwise,
+ * directory permissions should allow pidfile to be accessed
+ * by the UID/GID under which the charon deamon will run. */
+ if (lib->caps->check(lib->caps, CAP_CHOWN))
+ {
+ ignore_result(fchown(fd,
+ lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)));
+ }
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
return FALSE;
}
if (!lib->caps->check(lib->caps, CAP_CHOWN))
{ /* required to chown(2) service socket */
- DBG1(DBG_NET, "socket '%s' requires CAP_CHOWN capability", uri);
- return NULL;
+ DBG1(DBG_NET, "cannot change ownership of socket '%s' without "
+ "CAP_CHOWN capability. socket directory should be accessible to "
+ "UID/GID under which the deamon will run", uri);
}
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1)
return NULL;
}
umask(old);
- if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ /* only attempt to chown() socket if we have CAP_CHOWN */
+ if (lib->caps->check(lib->caps, CAP_CHOWN) &&
+ chown(addr.sun_path, lib->caps->get_uid(lib->caps),
lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_NET, "changing socket permissions for '%s' failed: %s",
{
#ifndef WIN32
#ifdef HAVE_PRCTL
- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+ if (has_capability(this, CAP_SETPCAP, NULL))
+ {
+ prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+ }
#endif
if (this->uid && !init_supplementary_groups(this))
#ifndef CAP_DAC_OVERRIDE
# define CAP_DAC_OVERRIDE 1
#endif
+#ifndef CAP_SETPCAP
+# define CAP_SETPCAP 8
+#endif
/**
* POSIX capability dropping abstraction layer.
}
}
+#ifndef STARTER_ALLOW_NON_ROOT
/* verify that we can start */
if (getuid() != 0)
{
cleanup();
exit(LSB_RC_NOT_ALLOWED);
}
+#endif
if (check_pid(pid_file))
{
exit(LSB_RC_INVALID_ARGUMENT);
}
+#ifndef SKIP_KERNEL_IPSEC_MODPROBES
/* determine if we have a native netkey IPsec stack */
if (!starter_netkey_init())
{
DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
}
}
+#endif
last_reload = time_monotonic(NULL);