[squid-dev] [PATCH][pinger][linux] drop capabilities
Yuriy M. Kaminskiy
yumkam at gmail.com
Sun Feb 21 14:11:30 UTC 2016
On linux, it is possible to install pinger helper with only CAP_NET_RAW
raised instead of full setuid-root:
(setcap cap_net_raw+ep /path/to/pinger && chmod u-s /path/to/pinger) || :
However, pinger only drops setuid/setgid, and won't drop capabilities
after sockets are opened (when it is setuid-root, setuid(getuid()) also
drops capabilities, no code changes necessary; however, if it is only
setcap'ed, setuid() is no-op).
Attached patch fixes that (minimally tested, seems to work fine with
both/either `setcap` and `chmod u+s`; non-linux/non-libcap
configurations should not be affected).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pinger-drop-capabilities.patch
Type: text/x-diff
Size: 1146 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160221/6534d7ea/attachment.patch>
More information about the squid-dev
mailing list