From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 10 Dec 2015 13:26:16 +0000 (+0100)
Subject: sys_linux: keep CAP_NET_BIND_SERVICE only if NTP port can be opened
X-Git-Tag: 2.3-pre1~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a10df1cf5f9803d15615551f39101f2676c0c8c;p=thirdparty%2Fchrony.git

sys_linux: keep CAP_NET_BIND_SERVICE only if NTP port can be opened

If port is set to 0 in the config file, the server port cannot be opened
and there is no point in keeping the binding capability.
---

diff --git a/sys_linux.c b/sys_linux.c
index 98de5b40..8ef6de09 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -403,6 +403,7 @@ SYS_Linux_Finalise(void)
 void
 SYS_Linux_DropRoot(uid_t uid, gid_t gid)
 {
+  const char *cap_text;
   cap_t cap;
 
   if (prctl(PR_SET_KEEPCAPS, 1)) {
@@ -411,7 +412,11 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid)
   
   UTI_DropRoot(uid, gid);
 
-  if ((cap = cap_from_text("cap_net_bind_service,cap_sys_time=ep")) == NULL) {
+  /* Keep CAP_NET_BIND_SERVICE only if NTP port can be opened */
+  cap_text = CNF_GetNTPPort() ?
+             "cap_net_bind_service,cap_sys_time=ep" : "cap_sys_time=ep";
+
+  if ((cap = cap_from_text(cap_text)) == NULL) {
     LOG_FATAL(LOGF_SysLinux, "cap_from_text() failed");
   }