commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mt...@apache.org
Subject svn commit: r980496 - in /commons/proper/daemon/trunk/src/native/unix: configure.in native/jsvc-unix.c
Date Thu, 29 Jul 2010 16:10:32 GMT
Author: mturk
Date: Thu Jul 29 16:10:32 2010
New Revision: 980496

URL: http://svn.apache.org/viewvc?rev=980496&view=rev
Log:
DAEMON-168: Use libcap if present. If not use the legacy capability version as suggested by
Damien

Modified:
    commons/proper/daemon/trunk/src/native/unix/configure.in
    commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c

Modified: commons/proper/daemon/trunk/src/native/unix/configure.in
URL: http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/configure.in?rev=980496&r1=980495&r2=980496&view=diff
==============================================================================
--- commons/proper/daemon/trunk/src/native/unix/configure.in (original)
+++ commons/proper/daemon/trunk/src/native/unix/configure.in Thu Jul 29 16:10:32 2010
@@ -101,6 +101,10 @@ then
    LDCMD="$CC"
 fi
 AC_SUBST(LDCMD)
+if test "$supported_os" == "linux"
+then
+AC_CHECK_LIB([cap], [cap_init], [CFLAGS="$CFLAGS -DHAVE_LIBCAP" ; LIBS="$LIBS -lcap"])
+fi
 
 dnl -------------------------------------------------------------------------
 dnl Random programs we need to compile locally

Modified: commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c
URL: http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?rev=980496&r1=980495&r2=980496&view=diff
==============================================================================
--- commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c (original)
+++ commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c Thu Jul 29 16:10:32 2010
@@ -31,6 +31,9 @@
 #include <sys/syscall.h>
 #define _LINUX_FS_H
 #include <linux/capability.h>
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
 #endif
 #include <time.h>
 
@@ -148,6 +151,51 @@ static int set_user_group(char *user, in
 
 /* Set linux capability, user and group */
 #ifdef OS_LINUX
+#ifdef HAVE_LIBCAP
+static cap_value_t caps_std[] = {
+    CAP_NET_BIND_SERVICE,
+    CAP_SETUID,
+    CAP_SETGID,
+    CAP_DAC_READ_SEARCH
+};
+
+static cap_value_t caps_min[] = {
+    CAP_NET_BIND_SERVICE,
+    CAP_DAC_READ_SEARCH,
+    CAP_DAC_OVERRIDE
+};
+
+#define CAPS     1
+#define CAPSMIN  2
+
+static int set_caps(int cap_type)
+{
+    cap_t c;
+    int ncap;
+    cap_value_t *caps;
+
+    if (cap_type == CAPS) {
+        ncap = sizeof(caps_std)/sizeof(cap_value_t);
+        caps = caps_std;
+    }
+    else {
+        ncap = sizeof(caps_min)/sizeof(cap_value_t);
+        caps = caps_min;
+    }
+    c = cap_init();
+    cap_clear(c);
+    cap_set_flag(c, CAP_EFFECTIVE,   ncap, caps, CAP_SET);
+    cap_set_flag(c, CAP_INHERITABLE, ncap, caps, CAP_SET);
+    cap_set_flag(c, CAP_PERMITTED,   ncap, caps, CAP_SET);
+    if (cap_set_proc(c) != 0) {
+        log_error("failed setting capabilities in set_caps");
+        return -1;
+    }
+    cap_free(c);
+    return 0;
+}
+
+#else /* !HAVE_LIBCAP */
 /* CAPSALL is to allow to read/write at any location */
 #define CAPSALL (1 << CAP_NET_BIND_SERVICE) +   \
                 (1 << CAP_SETUID) +             \
@@ -169,24 +217,27 @@ static int set_user_group(char *user, in
 #define CAPSMIN (1 << CAP_NET_BIND_SERVICE) +   \
                 (1 << CAP_DAC_READ_SEARCH)
 
+#define LEGACY_CAP_VERSION  0x19980330
 static int set_caps(int caps)
 {
     struct __user_cap_header_struct caphead;
     struct __user_cap_data_struct   cap;
 
     memset(&caphead, 0, sizeof caphead);
-    caphead.version = _LINUX_CAPABILITY_VERSION;
+    caphead.version = LEGACY_CAP_VERSION;
     caphead.pid = 0;
     memset(&cap, 0, sizeof cap);
     cap.effective = caps;
     cap.permitted = caps;
     cap.inheritable = caps;
     if (syscall(__NR_capset, &caphead, &cap) < 0) {
-        log_error("syscall failed in set_caps");
+        log_error("set_caps: failed to set capabilities");
+        log_error("check that your kernel supports capabilities");
         return -1;
     }
     return 0;
 }
+#endif
 
 static int linuxset_user_group(char *user, int uid, int gid)
 {



Mime
View raw message