On Fri, Dec 19, 2008 at 9:06 PM, Pranav Desai <[email protected]> wrote: > On Thu, Dec 18, 2008 at 2:34 AM, Graham Leggett <[email protected]> wrote: >> Pranav Desai wrote: >> >>> Yeah, the application changes are restricted to a few lines. I believe >>> you mean the connect_backend() and not the proxy_connect module for >>> the CONNECT method ? >> >> I did yes, sorry. >> >> If this can be made available to all the proxy modules in one go, it would >> be ideal. >> > > There are more changes than I thought there would be. Tproxy needs the > CAP_NET_ADMIN capability for setting the setsockopt(). So it seems > like I have to preserve the capabilities using prctl and then after > the effective user changes to non-privileged, set the CAP_NET_ADMIN > capability for that process. > What I am not sure of is: > * Whats the best place to keep the capabilities, since it would have > to be done before it drops the privilege. > * Would I have to add the capability for all processes that are > created for handling requests ? > > Is there a better way to set the capabilities of all the spawned processes ?
I have included a patch for this support. Please let me know if I have missed things. I tried to restrict the changes to the module alone, but due to the nature of the changes, I have to go into the os/ and also the srclib area. If you guys can suggest any better solution please let me know. http://miscfiles.googlecode.com/svn/trunk/tproxy.patch Thanks -- Pranav > > Thanks > -- Pranav > >> Regards, >> Graham >> -- >> >
