Author: mturk
Date: Thu Feb 11 18:46:58 2010
New Revision: 909104
URL: http://svn.apache.org/viewvc?rev=909104&view=rev
Log:
Fix DAEMON-16 by adding CAP_DAC_READ_SEARCH to allow reading /proc/self. This
might however open some other security issues, so need a review
Modified:
commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c
Modified: commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c
URL:
http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?rev=909104&r1=909103&r2=909104&view=diff
==============================================================================
--- commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c (original)
+++ commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c Thu Feb 11
18:46:58 2010
@@ -158,10 +158,13 @@
(1 << CAP_DAC_OVERRIDE)
/* That a more reasonable configuration */
#define CAPS (1 << CAP_NET_BIND_SERVICE)+ \
+ (1 << CAP_DAC_READ_SEARCH)+ \
(1 << CAP_SETUID)+ \
(1 << CAP_SETGID)
/* probably the only one Java could use */
-#define CAPSMIN (1 << CAP_NET_BIND_SERVICE)
+#define CAPSMIN (1 << CAP_NET_BIND_SERVICE)+ \
+ (1 << CAP_DAC_READ_SEARCH)
+
static int set_caps(int caps)
{
struct __user_cap_header_struct caphead;
