Commit f1037ebd authored by Marek Vavrusa's avatar Marek Vavrusa

Detect rights to set capabilities, bugfixes.

refs #1556
parent ce37868c
......@@ -191,42 +191,63 @@ int main(int argc, char **argv)
free(cwbuf);
config_fn = abs_cfg;
}
// Open configuration
log_server_info("Parsing configuration '%s' ...\n", config_fn);
if (conf_open(config_fn) != KNOTD_EOK) {
log_server_error("Failed to parse configuration file '%s'.\n",
config_fn);
server_destroy(&server);
free(config_fn);
return 1;
} else {
log_server_info("Configured %d interfaces and %d zones.\n",
conf()->ifaces_count, conf()->zones_count);
}
log_server_info("\n");
/* Linux capabilities. */
#ifdef HAVE_SYS_CAPABILITY_H
cap_t caps = cap_init();
cap_t caps = cap_get_proc();
if (caps != NULL) {
/* Read current and clear. */
cap_flag_value_t set_caps = CAP_CLEAR;
cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &set_caps);
cap_clear(caps);
/* Allow binding to privileged ports.
* (Not inheritable)
*/
*/
cap_set_pe(caps, CAP_NET_BIND_SERVICE);
/* Allow setuid/setgid. */
cap_set_pe(caps, CAP_SETUID);
cap_set_pe(caps, CAP_SETGID);
cap_set_pe(caps, CAP_SETPCAP);
/*! \todo Config file read? DAC_OVERRIDE ? */
/* Allow priorities changing. */
cap_set_pe(caps, CAP_SYS_NICE);
/* Inherit nothing. */
/* Apply */
int caps_res = 0;
if (set_caps == CAP_SET) {
caps_res = cap_set_proc(caps);
} else {
log_server_info("User uid=%d is not allowed to set "
"capabilities, skipping.\n", getuid());
}
if (caps_res < 0) {
log_server_error("Couldn't set process capabilities - "
"%s.\n", strerror(errno));
}
/* Free capabilities list. */
cap_free(caps);
} else {
log_server_error("Couldn't initialize Linux capabilities.\n");
}
#endif
// Open configuration
log_server_info("Parsing configuration '%s' ...\n", config_fn);
if (conf_open(config_fn) != KNOTD_EOK) {
log_server_error("Failed to parse configuration file '%s'.\n",
config_fn);
server_destroy(&server);
free(config_fn);
return 1;
} else {
log_server_info("Configured %d interfaces and %d zones.\n",
conf()->ifaces_count, conf()->zones_count);
}
log_server_info("\n");
// Create server instance
char* pidfile = pid_filename();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment