Message ID | 4F2EBC40.2080500@zoho.com |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Applied. Thank you. Ángel González wrote: > This patch adds support for dropping capabilities to the iputils programs > which need root privileges (ping, ping6, clockdiff, traceroute6), so that > users installing them suid can instead install them setcap cap_net_raw+ep > > The feature adds libcap as a requisite. In order to disable the feature > sed -i "s/-DCAPABILITIES//;s/ -lcap//" Makefile > > > Signed-off-by: Ángel González<ingenit@zoho.com> > --- > > diff -ur iputils/Makefile iputils-capabilities/Makefile > --- iputils/Makefile 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/Makefile 2012-02-05 17:40:18.000000000 +0100 > @@ -14,7 +14,7 @@ > # What a pity, all new gccs are buggy and -Werror does not work. Sigh. > #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror > CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g > -CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) > +CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) -DCAPABILITIES > > IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd > IPV6_TARGETS=tracepath6 traceroute6 ping6 > @@ -25,11 +25,12 @@ > > all: $(TARGETS) > > - > +clockdiff: -lcap > +traceroute6: -lcap > tftpd: tftpd.o tftpsubs.o > -arping: arping.o -lsysfs > -ping: ping.o ping_common.o > -ping6: ping6.o ping_common.o -lresolv -lcrypto > +arping: arping.o -lsysfs -lcap > +ping: ping.o ping_common.o -lcap > +ping6: ping6.o ping_common.o -lresolv -lcrypto -lcap > ping.o ping6.o ping_common.o: ping_common.h > tftpd.o tftpsubs.o: tftp.h > > diff -ur iputils/arping.c iputils-capabilities/arping.c > --- iputils/arping.c 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/arping.c 2012-02-05 17:23:53.000000000 +0100 > @@ -22,6 +22,9 @@ > #include<linux/if_ether.h> > #include<net/if_arp.h> > #include<sys/uio.h> > +#ifdef CAPABILITIES > +#include<sys/capability.h> > +#endif > > #include<netdb.h> > #include<unistd.h> > @@ -356,6 +359,17 @@ > exit(-1); > } > > +#ifdef CAPABILITIES > + { > + cap_t caps = cap_init(); > + if (cap_set_proc(caps)) { > + perror("arping: cap_set_proc"); > + exit(-1); > + } > + cap_free(caps); > + } > +#endif > + > while ((ch = getopt(argc, argv, "h?bfDUAqc:w:s:I:V")) != EOF) { > switch(ch) { > case 'b': > diff -ur iputils/clockdiff.c iputils-capabilities/clockdiff.c > --- iputils/clockdiff.c 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/clockdiff.c 2012-02-05 17:33:14.000000000 +0100 > @@ -20,6 +20,9 @@ > #include<arpa/inet.h> > #include<errno.h> > #include<linux/types.h> > +#ifdef CAPABILITIES > +#include<sys/capability.h> > +#endif > > void usage(void) __attribute__((noreturn)); > > @@ -530,6 +533,20 @@ > exit(1); > } > > +void drop_rights(void) { > +#ifdef CAPABILITIES > + cap_t caps = cap_init(); > + if (cap_set_proc(caps)) { > + perror("clockdiff: cap_set_proc"); > + exit(-1); > + } > + cap_free(caps); > +#endif > + if (setuid(getuid())) { > + perror("clockdiff: setuid"); > + exit(-1); > + } > +} > > int > main(int argc, char *argv[]) > @@ -541,10 +558,7 @@ > int n_errno = 0; > > if (argc< 2) { > - if (setuid(getuid())) { > - perror("clockdiff: setuid"); > - exit(-1); > - } > + drop_rights(); > usage(); > } > > @@ -554,11 +568,7 @@ > errno = 0; > if (nice(-16) == -1) > n_errno = errno; > - > - if (setuid(getuid())) { > - perror("clockdiff: setuid"); > - exit(-1); > - } > + drop_rights(); > > if (argc == 3) { > if (strcmp(argv[1], "-o") == 0) { > diff -ur iputils/ping.c iputils-capabilities/ping.c > --- iputils/ping.c 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/ping.c 2012-02-05 17:33:51.000000000 +0100 > @@ -62,6 +62,9 @@ > > #include<netinet/ip.h> > #include<netinet/ip_icmp.h> > +#ifdef CAPABILITIES > +#include<sys/capability.h> > +#endif > > #ifndef ICMP_FILTER > #define ICMP_FILTER 1 > @@ -131,6 +134,16 @@ > perror("ping: setuid"); > exit(-1); > } > +#ifdef CAPABILITIES > + { > + cap_t caps = cap_init(); > + if (cap_set_proc(caps)) { > + perror("ping: cap_set_proc"); > + exit(-1); > + } > + cap_free(caps); > + } > +#endif > > source.sin_family = AF_INET; > > diff -ur iputils/ping6.c iputils-capabilities/ping6.c > --- iputils/ping6.c 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/ping6.c 2012-02-05 17:33:44.000000000 +0100 > @@ -72,6 +72,9 @@ > #include<netinet/ip6.h> > #include<netinet/icmp6.h> > #include<resolv.h> > +#ifdef CAPABILITIES > +#include<sys/capability.h> > +#endif > > #include "ping6_niquery.h" > > @@ -551,9 +554,19 @@ > > uid = getuid(); > if (setuid(uid)) { > - perror("ping: setuid"); > + perror("ping6: setuid"); > exit(-1); > } > +#ifdef CAPABILITIES > + { > + cap_t caps = cap_init(); > + if (cap_set_proc(caps)) { > + perror("ping6: cap_set_proc"); > + exit(-1); > + } > + cap_free(caps); > + } > +#endif > > source.sin6_family = AF_INET6; > memset(&firsthop, 0, sizeof(firsthop)); > diff -ur iputils/traceroute6.c iputils-capabilities/traceroute6.c > --- iputils/traceroute6.c 2012-01-10 02:42:52.000000000 +0100 > +++ iputils-capabilities/traceroute6.c 2012-02-05 17:33:59.000000000 +0100 > @@ -249,6 +249,9 @@ > #include<netinet/ip6.h> > #include<netinet/icmp6.h> > #include<linux/types.h> > +#ifdef CAPABILITIES > +#include<sys/capability.h> > +#endif > > #include<arpa/inet.h> > > @@ -342,6 +345,16 @@ > perror("traceroute6: setuid"); > exit(-1); > } > +#ifdef CAPABILITIES > + { > + cap_t caps = cap_init(); > + if (cap_set_proc(caps)) { > + perror("traceroute6: cap_set_proc"); > + exit(-1); > + } > + cap_free(caps); > + } > +#endif > > on = 1; > seq = tos = 0; > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -ur iputils/Makefile iputils-capabilities/Makefile --- iputils/Makefile 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/Makefile 2012-02-05 17:40:18.000000000 +0100 @@ -14,7 +14,7 @@ # What a pity, all new gccs are buggy and -Werror does not work. Sigh. #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) +CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) -DCAPABILITIES IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd IPV6_TARGETS=tracepath6 traceroute6 ping6 @@ -25,11 +25,12 @@ all: $(TARGETS) - +clockdiff: -lcap +traceroute6: -lcap tftpd: tftpd.o tftpsubs.o -arping: arping.o -lsysfs -ping: ping.o ping_common.o -ping6: ping6.o ping_common.o -lresolv -lcrypto +arping: arping.o -lsysfs -lcap +ping: ping.o ping_common.o -lcap +ping6: ping6.o ping_common.o -lresolv -lcrypto -lcap ping.o ping6.o ping_common.o: ping_common.h tftpd.o tftpsubs.o: tftp.h diff -ur iputils/arping.c iputils-capabilities/arping.c --- iputils/arping.c 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/arping.c 2012-02-05 17:23:53.000000000 +0100 @@ -22,6 +22,9 @@ #include <linux/if_ether.h> #include <net/if_arp.h> #include <sys/uio.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif #include <netdb.h> #include <unistd.h> @@ -356,6 +359,17 @@ exit(-1); } +#ifdef CAPABILITIES + { + cap_t caps = cap_init(); + if (cap_set_proc(caps)) { + perror("arping: cap_set_proc"); + exit(-1); + } + cap_free(caps); + } +#endif + while ((ch = getopt(argc, argv, "h?bfDUAqc:w:s:I:V")) != EOF) { switch(ch) { case 'b': diff -ur iputils/clockdiff.c iputils-capabilities/clockdiff.c --- iputils/clockdiff.c 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/clockdiff.c 2012-02-05 17:33:14.000000000 +0100 @@ -20,6 +20,9 @@ #include <arpa/inet.h> #include <errno.h> #include <linux/types.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif void usage(void) __attribute__((noreturn)); @@ -530,6 +533,20 @@ exit(1); } +void drop_rights(void) { +#ifdef CAPABILITIES + cap_t caps = cap_init(); + if (cap_set_proc(caps)) { + perror("clockdiff: cap_set_proc"); + exit(-1); + } + cap_free(caps); +#endif + if (setuid(getuid())) { + perror("clockdiff: setuid"); + exit(-1); + } +} int main(int argc, char *argv[]) @@ -541,10 +558,7 @@ int n_errno = 0; if (argc < 2) { - if (setuid(getuid())) { - perror("clockdiff: setuid"); - exit(-1); - } + drop_rights(); usage(); } @@ -554,11 +568,7 @@ errno = 0; if (nice(-16) == -1) n_errno = errno; - - if (setuid(getuid())) { - perror("clockdiff: setuid"); - exit(-1); - } + drop_rights(); if (argc == 3) { if (strcmp(argv[1], "-o") == 0) { diff -ur iputils/ping.c iputils-capabilities/ping.c --- iputils/ping.c 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/ping.c 2012-02-05 17:33:51.000000000 +0100 @@ -62,6 +62,9 @@ #include <netinet/ip.h> #include <netinet/ip_icmp.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif #ifndef ICMP_FILTER #define ICMP_FILTER 1 @@ -131,6 +134,16 @@ perror("ping: setuid"); exit(-1); } +#ifdef CAPABILITIES + { + cap_t caps = cap_init(); + if (cap_set_proc(caps)) { + perror("ping: cap_set_proc"); + exit(-1); + } + cap_free(caps); + } +#endif source.sin_family = AF_INET; diff -ur iputils/ping6.c iputils-capabilities/ping6.c --- iputils/ping6.c 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/ping6.c 2012-02-05 17:33:44.000000000 +0100 @@ -72,6 +72,9 @@ #include <netinet/ip6.h> #include <netinet/icmp6.h> #include <resolv.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif #include "ping6_niquery.h" @@ -551,9 +554,19 @@ uid = getuid(); if (setuid(uid)) { - perror("ping: setuid"); + perror("ping6: setuid"); exit(-1); } +#ifdef CAPABILITIES + { + cap_t caps = cap_init(); + if (cap_set_proc(caps)) { + perror("ping6: cap_set_proc"); + exit(-1); + } + cap_free(caps); + } +#endif source.sin6_family = AF_INET6; memset(&firsthop, 0, sizeof(firsthop)); diff -ur iputils/traceroute6.c iputils-capabilities/traceroute6.c --- iputils/traceroute6.c 2012-01-10 02:42:52.000000000 +0100 +++ iputils-capabilities/traceroute6.c 2012-02-05 17:33:59.000000000 +0100 @@ -249,6 +249,9 @@ #include <netinet/ip6.h> #include <netinet/icmp6.h> #include <linux/types.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif #include <arpa/inet.h> @@ -342,6 +345,16 @@ perror("traceroute6: setuid"); exit(-1); } +#ifdef CAPABILITIES + { + cap_t caps = cap_init(); + if (cap_set_proc(caps)) { + perror("traceroute6: cap_set_proc"); + exit(-1); + } + cap_free(caps); + } +#endif on = 1; seq = tos = 0;
This patch adds support for dropping capabilities to the iputils programs which need root privileges (ping, ping6, clockdiff, traceroute6), so that users installing them suid can instead install them setcap cap_net_raw+ep The feature adds libcap as a requisite. In order to disable the feature sed -i "s/-DCAPABILITIES//;s/ -lcap//" Makefile Signed-off-by: Ángel González <ingenit@zoho.com> --- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html