[squid-dev] [PATCH][pinger][linux] drop capabilities
Amos Jeffries
squid3 at treenet.co.nz
Tue Mar 29 16:59:29 UTC 2016
On 22/02/2016 3:11 a.m., Yuriy M. Kaminskiy wrote:
> On linux, it is possible to install pinger helper with only CAP_NET_RAW
> raised instead of full setuid-root:
>
> (setcap cap_net_raw+ep /path/to/pinger && chmod u-s /path/to/pinger) || :
>
> However, pinger only drops setuid/setgid, and won't drop capabilities
> after sockets are opened (when it is setuid-root, setuid(getuid()) also
> drops capabilities, no code changes necessary; however, if it is only
> setcap'ed, setuid() is no-op).
>
> Attached patch fixes that (minimally tested, seems to work fine with
> both/either `setcap` and `chmod u+s`; non-linux/non-libcap
> configurations should not be affected).
Applied to trunk as rev.14613.
I took the liberty of correcting the errno debug outputs for the
function when merging.
Amos
More information about the squid-dev
mailing list