From: Juergen Perlinger <perlinger@ntp.org>
Date: Thu, 2 May 2019 06:35:23 +0000 (+0200)
Subject: [Bug 1433] runtime check whether the kernel really supports capabilities
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=901e08c8e2bc8bc847fb9524b658c925b01d343b;p=thirdparty%2Fntp.git

[Bug 1433] runtime check whether the kernel really supports capabilities

bk: 5cca8fabOMMtI36deWexDeyXsg63Pw
---

diff --git a/ChangeLog b/ChangeLog
index 9ff845c81..83a6c0fe9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Bug 1433] runtime check whether the kernel really supports capabilities
+  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
+
 ---
 (4.2.8p13) 2019/03/07 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 2b14431dc..21346433c 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -181,6 +181,10 @@ int mdnsreg = FALSE;
 int mdnstries = 5;
 #endif  /* HAVE_DNSREGISTRATION */
 
+#ifdef HAVE_LINUX_CAPABILITIES
+int have_caps;		/* runtime check whether capabilities work */
+#endif /* HAVE_LINUX_CAPABILITIES */
+
 #ifdef HAVE_DROPROOT
 int droproot;
 int root_dropped;
@@ -783,7 +787,6 @@ ntpdmain(
 # if defined(HAVE_WORKING_FORK)
 	long		wait_sync = 0;
 	int		pipe_fds[2];
-	int		rc;
 	int		exit_code;
 # endif	/* HAVE_WORKING_FORK*/
 # ifdef SCO5_CLOCK
@@ -1123,12 +1126,33 @@ ntpdmain(
 	report_event(EVNT_SYSRESTART, NULL, NULL);
 	initializing = FALSE;
 
+# ifdef HAVE_LINUX_CAPABILITIES
+	{
+		/*  Check that setting capabilities actually works; we might be
+		 *  run on a kernel with disabled capabilities. We must not
+		 *  drop privileges in this case.
+		 */
+		cap_t caps;
+		caps = cap_from_text("cap_sys_time,cap_setuid,cap_setgid,cap_sys_chroot,cap_net_bind_service=pe");
+		if ( ! caps) {
+			msyslog( LOG_ERR, "cap_from_text() failed: %m" );
+			exit(-1);
+		}
+		have_caps = (cap_set_proc(caps) == 0);
+		cap_free(caps);	/* caps not NULL here! */
+	}
+# endif /* HAVE_LINUX_CAPABILITIES */
+
 # ifdef HAVE_DROPROOT
+#  ifdef HAVE_LINUX_CAPABILITIES
+	if (droproot && have_caps) {
+#  else
 	if (droproot) {
+#  endif /*HAVE_LINUX_CAPABILITIES*/
 
-#ifdef NEED_EARLY_FORK
+#  ifdef NEED_EARLY_FORK
 		fork_nonchroot_worker();
-#endif
+#  endif
 
 		/* Drop super-user privileges and chroot now if the OS supports this */