iputils: Add capability dropping

Message ID	4F2EBC40.2080500@zoho.com
State	Not Applicable, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=message-id:date:from:user-agent:mime-version:to:cc:subject:content-type; b=cO62Pb7TsZi9H59KuoOUyCkO0nD/vYlmlg66ZwFgpwstJr5w8KU02TBBpXXgFRxesmREnffjh3dJ xvXjKbOImywHyqAjRPnrWrF7RkMiKAJ+zA7aOD5e/JDFVnaGQolV Message-ID: <4F2EBC40.2080500@zoho.com> Date: Sun, 5 Feb 2012 19:16:42 +0100 From: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <ingenit@zoho.com> User-Agent: Thunderbird MIME-Version: 1.0 To: netdev@vger.kernel.org CC: yoshfuji@linux-ipv6.org Subject: [PATCH] iputils: Add capability dropping Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

4F2EBC40.2080500@zoho.com

State

Not Applicable, archived

Delegated to:

David Miller

Headers

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; 
	h=message-id:date:from:user-agent:mime-version:to:cc:subject:content-type;
	b=cO62Pb7TsZi9H59KuoOUyCkO0nD/vYlmlg66ZwFgpwstJr5w8KU02TBBpXXgFRxesmREnffjh3dJ
	xvXjKbOImywHyqAjRPnrWrF7RkMiKAJ+zA7aOD5e/JDFVnaGQolV  
Message-ID: <4F2EBC40.2080500@zoho.com>
Date: Sun, 5 Feb 2012 19:16:42 +0100
From: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= <ingenit@zoho.com>
User-Agent: Thunderbird
MIME-Version: 1.0
To: netdev@vger.kernel.org
CC: yoshfuji@linux-ipv6.org
Subject: [PATCH] iputils: Add capability dropping
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Ángel González Feb. 5, 2012, 6:16 p.m. UTC

This patch adds support for dropping capabilities to the iputils programs
which need root privileges (ping, ping6, clockdiff, traceroute6), so that
users installing them suid can instead install them setcap cap_net_raw+ep

The feature adds libcap as a requisite. In order to disable the feature
 sed -i "s/-DCAPABILITIES//;s/ -lcap//" Makefile


Signed-off-by: Ángel González <ingenit@zoho.com>
---



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

YOSHIFUJI Hideaki / 吉藤英明 Feb. 21, 2012, 11:59 a.m. UTC | #1

Applied. Thank you.

Ángel González wrote:
> This patch adds support for dropping capabilities to the iputils programs
> which need root privileges (ping, ping6, clockdiff, traceroute6), so that
> users installing them suid can instead install them setcap cap_net_raw+ep
>
> The feature adds libcap as a requisite. In order to disable the feature
>   sed -i "s/-DCAPABILITIES//;s/ -lcap//" Makefile
>
>
> Signed-off-by: Ángel González<ingenit@zoho.com>
> ---
>
> diff -ur iputils/Makefile iputils-capabilities/Makefile
> --- iputils/Makefile	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/Makefile	2012-02-05 17:40:18.000000000 +0100
> @@ -14,7 +14,7 @@
>   # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
>   #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
>   CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
> -CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES)
> +CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) -DCAPABILITIES
>
>   IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
>   IPV6_TARGETS=tracepath6 traceroute6 ping6
> @@ -25,11 +25,12 @@
>
>   all: $(TARGETS)
>
> -
> +clockdiff: -lcap
> +traceroute6: -lcap
>   tftpd: tftpd.o tftpsubs.o
> -arping: arping.o -lsysfs
> -ping: ping.o ping_common.o
> -ping6: ping6.o ping_common.o -lresolv -lcrypto
> +arping: arping.o -lsysfs -lcap
> +ping: ping.o ping_common.o -lcap
> +ping6: ping6.o ping_common.o -lresolv -lcrypto -lcap
>   ping.o ping6.o ping_common.o: ping_common.h
>   tftpd.o tftpsubs.o: tftp.h
>
> diff -ur iputils/arping.c iputils-capabilities/arping.c
> --- iputils/arping.c	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/arping.c	2012-02-05 17:23:53.000000000 +0100
> @@ -22,6 +22,9 @@
>   #include<linux/if_ether.h>
>   #include<net/if_arp.h>
>   #include<sys/uio.h>
> +#ifdef CAPABILITIES
> +#include<sys/capability.h>
> +#endif
>
>   #include<netdb.h>
>   #include<unistd.h>
> @@ -356,6 +359,17 @@
>   		exit(-1);
>   	}
>
> +#ifdef CAPABILITIES
> +	{
> +		cap_t caps = cap_init();
> +		if (cap_set_proc(caps)) {
> +			perror("arping: cap_set_proc");
> +			exit(-1);
> +		}
> +		cap_free(caps);
> +	}
> +#endif
> +
>   	while ((ch = getopt(argc, argv, "h?bfDUAqc:w:s:I:V")) != EOF) {
>   		switch(ch) {
>   		case 'b':
> diff -ur iputils/clockdiff.c iputils-capabilities/clockdiff.c
> --- iputils/clockdiff.c	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/clockdiff.c	2012-02-05 17:33:14.000000000 +0100
> @@ -20,6 +20,9 @@
>   #include<arpa/inet.h>
>   #include<errno.h>
>   #include<linux/types.h>
> +#ifdef CAPABILITIES
> +#include<sys/capability.h>
> +#endif
>
>   void usage(void) __attribute__((noreturn));
>
> @@ -530,6 +533,20 @@
>     exit(1);
>   }
>
> +void drop_rights(void) {
> +#ifdef CAPABILITIES
> +	cap_t caps = cap_init();
> +	if (cap_set_proc(caps)) {
> +		perror("clockdiff: cap_set_proc");
> +		exit(-1);
> +	}
> +	cap_free(caps);
> +#endif
> +	if (setuid(getuid())) {
> +		perror("clockdiff: setuid");
> +		exit(-1);
> +	}
> +}
>
>   int
>   main(int argc, char *argv[])
> @@ -541,10 +558,7 @@
>   	int n_errno = 0;
>
>   	if (argc<  2) {
> -		if (setuid(getuid())) {
> -			perror("clockdiff: setuid");
> -			exit(-1);
> -		}
> +		drop_rights();
>   		usage();
>   	}
>
> @@ -554,11 +568,7 @@
>   	errno = 0;
>   	if (nice(-16) == -1)
>   		n_errno = errno;
> -
> -	if (setuid(getuid())) {
> -		perror("clockdiff: setuid");
> -		exit(-1);
> -	}
> +	drop_rights();
>
>   	if (argc == 3) {
>   		if (strcmp(argv[1], "-o") == 0) {
> diff -ur iputils/ping.c iputils-capabilities/ping.c
> --- iputils/ping.c	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/ping.c	2012-02-05 17:33:51.000000000 +0100
> @@ -62,6 +62,9 @@
>
>   #include<netinet/ip.h>
>   #include<netinet/ip_icmp.h>
> +#ifdef CAPABILITIES
> +#include<sys/capability.h>
> +#endif
>
>   #ifndef ICMP_FILTER
>   #define ICMP_FILTER	1
> @@ -131,6 +134,16 @@
>   		perror("ping: setuid");
>   		exit(-1);
>   	}
> +#ifdef CAPABILITIES
> +	{
> +		cap_t caps = cap_init();
> +		if (cap_set_proc(caps)) {
> +			perror("ping: cap_set_proc");
> +			exit(-1);
> +		}
> +		cap_free(caps);
> +	}
> +#endif
>
>   	source.sin_family = AF_INET;
>
> diff -ur iputils/ping6.c iputils-capabilities/ping6.c
> --- iputils/ping6.c	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/ping6.c	2012-02-05 17:33:44.000000000 +0100
> @@ -72,6 +72,9 @@
>   #include<netinet/ip6.h>
>   #include<netinet/icmp6.h>
>   #include<resolv.h>
> +#ifdef CAPABILITIES
> +#include<sys/capability.h>
> +#endif
>
>   #include "ping6_niquery.h"
>
> @@ -551,9 +554,19 @@
>
>   	uid = getuid();
>   	if (setuid(uid)) {
> -		perror("ping: setuid");
> +		perror("ping6: setuid");
>   		exit(-1);
>   	}
> +#ifdef CAPABILITIES
> +	{
> +		cap_t caps = cap_init();
> +		if (cap_set_proc(caps)) {
> +			perror("ping6: cap_set_proc");
> +			exit(-1);
> +		}
> +		cap_free(caps);
> +	}
> +#endif
>
>   	source.sin6_family = AF_INET6;
>   	memset(&firsthop, 0, sizeof(firsthop));
> diff -ur iputils/traceroute6.c iputils-capabilities/traceroute6.c
> --- iputils/traceroute6.c	2012-01-10 02:42:52.000000000 +0100
> +++ iputils-capabilities/traceroute6.c	2012-02-05 17:33:59.000000000 +0100
> @@ -249,6 +249,9 @@
>   #include<netinet/ip6.h>
>   #include<netinet/icmp6.h>
>   #include<linux/types.h>
> +#ifdef CAPABILITIES
> +#include<sys/capability.h>
> +#endif
>
>   #include<arpa/inet.h>
>
> @@ -342,6 +345,16 @@
>   		perror("traceroute6: setuid");
>   		exit(-1);
>   	}
> +#ifdef CAPABILITIES
> +	{
> +		cap_t caps = cap_init();
> +		if (cap_set_proc(caps)) {
> +			perror("traceroute6: cap_set_proc");
> +			exit(-1);
> +		}
> +		cap_free(caps);
> +	}
> +#endif
>
>   	on = 1;
>   	seq = tos = 0;
>
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff -ur iputils/Makefile iputils-capabilities/Makefile
--- iputils/Makefile	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/Makefile	2012-02-05 17:40:18.000000000 +0100
@@ -14,7 +14,7 @@ 
 # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
 #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
 CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
-CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) 
+CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) -DCAPABILITIES
 
 IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
 IPV6_TARGETS=tracepath6 traceroute6 ping6
@@ -25,11 +25,12 @@ 
 
 all: $(TARGETS)
 
-
+clockdiff: -lcap
+traceroute6: -lcap
 tftpd: tftpd.o tftpsubs.o
-arping: arping.o -lsysfs
-ping: ping.o ping_common.o
-ping6: ping6.o ping_common.o -lresolv -lcrypto
+arping: arping.o -lsysfs -lcap
+ping: ping.o ping_common.o -lcap
+ping6: ping6.o ping_common.o -lresolv -lcrypto -lcap
 ping.o ping6.o ping_common.o: ping_common.h
 tftpd.o tftpsubs.o: tftp.h
 
diff -ur iputils/arping.c iputils-capabilities/arping.c
--- iputils/arping.c	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/arping.c	2012-02-05 17:23:53.000000000 +0100
@@ -22,6 +22,9 @@ 
 #include <linux/if_ether.h>
 #include <net/if_arp.h>
 #include <sys/uio.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif
 
 #include <netdb.h>
 #include <unistd.h>
@@ -356,6 +359,17 @@ 
 		exit(-1);
 	}
 
+#ifdef CAPABILITIES
+	{
+		cap_t caps = cap_init();
+		if (cap_set_proc(caps)) {
+			perror("arping: cap_set_proc");
+			exit(-1);
+		}
+		cap_free(caps);
+	}
+#endif
+
 	while ((ch = getopt(argc, argv, "h?bfDUAqc:w:s:I:V")) != EOF) {
 		switch(ch) {
 		case 'b':
diff -ur iputils/clockdiff.c iputils-capabilities/clockdiff.c
--- iputils/clockdiff.c	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/clockdiff.c	2012-02-05 17:33:14.000000000 +0100
@@ -20,6 +20,9 @@ 
 #include <arpa/inet.h>
 #include <errno.h>
 #include <linux/types.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif
 
 void usage(void) __attribute__((noreturn));
 
@@ -530,6 +533,20 @@ 
   exit(1);
 }
 
+void drop_rights(void) {
+#ifdef CAPABILITIES
+	cap_t caps = cap_init();
+	if (cap_set_proc(caps)) {
+		perror("clockdiff: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+	if (setuid(getuid())) {
+		perror("clockdiff: setuid");
+		exit(-1);
+	}
+}
 
 int
 main(int argc, char *argv[])
@@ -541,10 +558,7 @@ 
 	int n_errno = 0;
 
 	if (argc < 2) {
-		if (setuid(getuid())) {
-			perror("clockdiff: setuid");
-			exit(-1);
-		}
+		drop_rights();
 		usage();
 	}
 
@@ -554,11 +568,7 @@ 
 	errno = 0;
 	if (nice(-16) == -1)
 		n_errno = errno;
-
-	if (setuid(getuid())) {
-		perror("clockdiff: setuid");
-		exit(-1);
-	}
+	drop_rights();
 
 	if (argc == 3) {
 		if (strcmp(argv[1], "-o") == 0) {
diff -ur iputils/ping.c iputils-capabilities/ping.c
--- iputils/ping.c	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/ping.c	2012-02-05 17:33:51.000000000 +0100
@@ -62,6 +62,9 @@ 
 
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif
 
 #ifndef ICMP_FILTER
 #define ICMP_FILTER	1
@@ -131,6 +134,16 @@ 
 		perror("ping: setuid");
 		exit(-1);
 	}
+#ifdef CAPABILITIES
+	{
+		cap_t caps = cap_init();
+		if (cap_set_proc(caps)) {
+			perror("ping: cap_set_proc");
+			exit(-1);
+		}
+		cap_free(caps);
+	}
+#endif
 
 	source.sin_family = AF_INET;
 
diff -ur iputils/ping6.c iputils-capabilities/ping6.c
--- iputils/ping6.c	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/ping6.c	2012-02-05 17:33:44.000000000 +0100
@@ -72,6 +72,9 @@ 
 #include <netinet/ip6.h>
 #include <netinet/icmp6.h>
 #include <resolv.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif
 
 #include "ping6_niquery.h"
 
@@ -551,9 +554,19 @@ 
 
 	uid = getuid();
 	if (setuid(uid)) {
-		perror("ping: setuid");
+		perror("ping6: setuid");
 		exit(-1);
 	}
+#ifdef CAPABILITIES
+	{
+		cap_t caps = cap_init();
+		if (cap_set_proc(caps)) {
+			perror("ping6: cap_set_proc");
+			exit(-1);
+		}
+		cap_free(caps);
+	}
+#endif
 
 	source.sin6_family = AF_INET6;
 	memset(&firsthop, 0, sizeof(firsthop));
diff -ur iputils/traceroute6.c iputils-capabilities/traceroute6.c
--- iputils/traceroute6.c	2012-01-10 02:42:52.000000000 +0100
+++ iputils-capabilities/traceroute6.c	2012-02-05 17:33:59.000000000 +0100
@@ -249,6 +249,9 @@ 
 #include <netinet/ip6.h>
 #include <netinet/icmp6.h>
 #include <linux/types.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif
 
 #include <arpa/inet.h>
 
@@ -342,6 +345,16 @@ 
 		perror("traceroute6: setuid");
 		exit(-1);
 	}
+#ifdef CAPABILITIES
+	{
+		cap_t caps = cap_init();
+		if (cap_set_proc(caps)) {
+			perror("traceroute6: cap_set_proc");
+			exit(-1);
+		}
+		cap_free(caps);
+	}
+#endif
 
 	on = 1;
 	seq = tos = 0;

iputils: Add capability dropping

Commit Message

Comments

Patch