Hi all,
the already comitted patch below should fix the problem of
no permission to set all TOS-bits (e.g. using DiffServ) when
running as non-root via setuid().
Again, due to used prctl() the code may don't work on other platforms/OS.
Also, maybe this should be optional, because it may produce a warning, if
you started openpbx as non-root.
Armin
---------- Forwarded message ----------
Date: Tue, 14 Feb 2006 12:32:51 -0500
From: [EMAIL PROTECTED]
Reply-To: SubVersion Updates to OpenPBX and the Core Components
<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Openpbx-svn] r1382 - openpbx/trunk/corelib
Author: armin
Date: 2006-02-14 12:32:50 -0500 (Tue, 14 Feb 2006)
New Revision: 1382
Modified:
openpbx/trunk/corelib/openpbx.c
Log:
Set CAP_NET_ADMIN after setuid() to allow setting
all TOS bits (needed for DiffServ).
Modified: openpbx/trunk/corelib/openpbx.c
===================================================================
--- openpbx/trunk/corelib/openpbx.c 2006-02-14 15:30:23 UTC (rev 1381)
+++ openpbx/trunk/corelib/openpbx.c 2006-02-14 17:32:50 UTC (rev 1382)
@@ -79,6 +79,9 @@
#include <netdb.h>
#endif
+#undef _POSIX_SOURCE
+#include <sys/capability.h>
+
#include "openpbx.h"
OPENPBX_FILE_VERSION("$HeadURL$", "$Revision$")
@@ -2058,7 +2061,20 @@
if (!is_child_of_nonroot) {
struct group *gr;
struct passwd *pw;
+ cap_user_header_t cap_header;
+ cap_user_data_t cap_data;
+ cap_header = alloca(sizeof(*cap_header));
+ cap_data = alloca(sizeof(*cap_data));
+ if (cap_header != NULL) {
+ cap_header->version = _LINUX_CAPABILITY_VERSION;
+ cap_header->pid = 0;
+ }
+ /* inherit our capabilities */
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+ opbx_log(LOG_WARNING, "Unable to keep capabilities:
%s\n", strerror(errno));
+ }
+
gr = getgrnam(rungroup);
if (!gr) {
opbx_log(LOG_ERROR, "No such group '%s'!\n", rungroup);
@@ -2124,6 +2140,18 @@
opbx_verbose("Now running as user '' (%d)\n",
getegid());
}
}
+ if ((cap_header != NULL) && (cap_data != NULL)) {
+ /* get current capabilities */
+ if (capget(cap_header, cap_data) == -1) {
+ opbx_log(LOG_WARNING, "Unable to get
capabilities\n");
+ }
+ cap_data->effective = 1 << CAP_NET_ADMIN;
+ /* set capabilities including NET_ADMIN */
+ /* this allows us to e.g. set all TOS bits */
+ if (capset(cap_header, cap_data) == -1) {
+ opbx_log(LOG_WARNING, "Unable to set new
capabilities (CAP_NET_ADMIN)\n");
+ }
+ }
}
/* Check if we're root */
_______________________________________________
Openpbx-svn mailing list
[EMAIL PROTECTED]
http://lists.openpbx.org/mailman/listinfo/openpbx-svn
_______________________________________________
Openpbx-dev mailing list
[email protected]
http://lists.openpbx.org/mailman/listinfo/openpbx-dev
