From: Chuck Lever <chuck.lever@oracle.com>
To: steved@redhat.com
Cc: chris.mason@oracle.com, linux-nfs@vger.kernel.org
Subject: [PATCH 22/24] libnsm.a: retain CAP_NET_BIND when dropping privileges
Date: Thu, 14 Jan 2010 12:32:03 -0500 [thread overview]
Message-ID: <20100114173203.26079.35147.stgit@localhost.localdomain> (raw)
In-Reply-To: <20100114172457.26079.66627.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
I'm about to switch the order of listener creation and dropping root
privileges. rpc.statd will drop privileges first, then create its
listeners. The reason for the new ordering is explained in a
subsequent patch.
However, for non-TI-RPC builds, rpc_init() needs to use a privileged
port to do pmap registrations. For both TI-RPC and non-TI-RPC builds,
CAP_NET_BIND is required in case the admin requests a privileged
listener port on the statd command line.
So that these requirements are met, nsm_drop_privileges() will now
retain CAP_NET_BIND while dropping root.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
aclocal/libcap.m4 | 15 +++++++++++++++
configure.ac | 3 +++
support/nsm/file.c | 41 ++++++++++++++++++++++++++++++++++++++++-
utils/statd/Makefile.am | 4 ++--
4 files changed, 60 insertions(+), 3 deletions(-)
create mode 100644 aclocal/libcap.m4
diff --git a/aclocal/libcap.m4 b/aclocal/libcap.m4
new file mode 100644
index 0000000..eabe507
--- /dev/null
+++ b/aclocal/libcap.m4
@@ -0,0 +1,15 @@
+dnl Checks for libcap.so
+dnl
+AC_DEFUN([AC_LIBCAP], [
+
+ dnl look for prctl
+ AC_CHECK_FUNC([prctl], , )
+
+ dnl look for the library; do not add to LIBS if found
+ AC_CHECK_LIB([cap], [cap_get_proc], [LIBCAP=-lcap], ,)
+ AC_SUBST(LIBCAP)
+
+ AC_CHECK_HEADERS([sys/capability.h], ,
+ [AC_MSG_ERROR([libcap headers not found.])])
+
+])dnl
diff --git a/configure.ac b/configure.ac
index ea6f4d9..c77c5ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -166,6 +166,9 @@ fi
dnl Check for TI-RPC library and headers
AC_LIBTIRPC
+dnl Check for -lcap
+AC_LIBCAP
+
# Check whether user wants TCP wrappers support
AC_TCP_WRAPPERS
diff --git a/support/nsm/file.c b/support/nsm/file.c
index 8796705..d469219 100644
--- a/support/nsm/file.c
+++ b/support/nsm/file.c
@@ -67,6 +67,8 @@
#endif
#include <sys/types.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
#include <sys/stat.h>
#include <ctype.h>
@@ -335,6 +337,34 @@ nsm_is_default_parentdir(void)
return strcmp(nsm_base_dirname, NSM_DEFAULT_STATEDIR) == 0;
}
+/*
+ * Clear all capabilities but CAP_NET_BIND_SERVICE. This permits
+ * callers to acquire privileged source ports, but all other root
+ * capabilities are disallowed.
+ *
+ * Returns true if successful, or false if some error occurred.
+ */
+static _Bool
+nsm_clear_capabilities(void)
+{
+ cap_t caps;
+
+ caps = cap_from_text("cap_net_bind_service=ep");
+ if (caps == NULL) {
+ xlog(L_ERROR, "Failed to allocate capability: %m");
+ return false;
+ }
+
+ if (cap_set_proc(caps) == -1) {
+ xlog(L_ERROR, "Failed to set capability flags: %m");
+ (void)cap_free(caps);
+ return false;
+ }
+
+ (void)cap_free(caps);
+ return true;
+}
+
/**
* nsm_drop_privileges - drop root privileges
* @pidfd: file descriptor of a pid file
@@ -382,6 +412,14 @@ nsm_drop_privileges(const int pidfd)
if (fchown(pidfd, st.st_uid, st.st_gid) == -1)
xlog_warn("Failed to change owner of pidfile: %m");
+ /*
+ * Don't clear capabilities when dropping root.
+ */
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+ xlog(L_ERROR, "prctl(PR_SET_KEEPCAPS) failed: %m");
+ return 0;
+ }
+
if (setgroups(0, NULL) == -1) {
xlog(L_ERROR, "Failed to drop supplementary groups: %m");
return false;
@@ -399,7 +437,8 @@ nsm_drop_privileges(const int pidfd)
}
xlog(D_CALL, "Effective UID, GID: %u, %u", st.st_uid, st.st_gid);
- return true;
+
+ return nsm_clear_capabilities();
}
/**
diff --git a/utils/statd/Makefile.am b/utils/statd/Makefile.am
index a94c012..1744791 100644
--- a/utils/statd/Makefile.am
+++ b/utils/statd/Makefile.am
@@ -15,10 +15,10 @@ BUILT_SOURCES = $(GENFILES)
statd_LDADD = ../../support/nsm/libnsm.a \
../../support/nfs/libnfs.a \
../../support/misc/libmisc.a \
- $(LIBWRAP) $(LIBNSL)
+ $(LIBWRAP) $(LIBNSL) $(LIBCAP)
sm_notify_LDADD = ../../support/nsm/libnsm.a \
../../support/nfs/libnfs.a \
- $(LIBNSL)
+ $(LIBNSL) $(LIBCAP)
EXTRA_DIST = sim_sm_inter.x $(man8_MANS) COPYRIGHT simulate.c
next prev parent reply other threads:[~2010-01-14 17:33 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-14 17:28 [PATCH 00/24] Remaining IPv6 patches for statd Chuck Lever
[not found] ` <20100114172457.26079.66627.stgit-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-01-14 17:28 ` [PATCH 01/24] libnsm.a: Add RPC construction helper functions Chuck Lever
2010-01-14 17:29 ` [PATCH 02/24] sm-notify: Replace RPC code Chuck Lever
2010-01-14 17:29 ` [PATCH 03/24] statd: Update rmtcall.c Chuck Lever
2010-01-14 17:29 ` [PATCH 04/24] sm-notify: factor socket creation out of notify() Chuck Lever
2010-01-14 17:29 ` [PATCH 05/24] sm-notify: Support creating a PF_INET6 socket in smn_create_socket() Chuck Lever
2010-01-14 17:29 ` [PATCH 06/24] sm-notify: IPv6 support in reserved port binding " Chuck Lever
2010-01-14 17:29 ` [PATCH 07/24] sm-notify: Use getaddrinfo(3) to create bind address " Chuck Lever
2010-01-14 17:30 ` [PATCH 08/24] sm-notify: Support IPv6 DNS lookups in smn_lookup Chuck Lever
2010-01-14 17:30 ` [PATCH 09/24] nfs-utils: Collect socket address helpers into one location Chuck Lever
2010-01-14 17:30 ` [PATCH 10/24] statd: Introduce statd version of matchhostname() Chuck Lever
2010-01-14 17:30 ` [PATCH 11/24] statd: add nsm_present_address() API Chuck Lever
2010-01-14 17:30 ` [PATCH 12/24] statd: add IPv6 support in sm_notify_1_svc() Chuck Lever
2010-01-14 17:30 ` [PATCH 13/24] statd: Support IPv6 is caller_is_localhost() Chuck Lever
2010-01-14 17:30 ` [PATCH 14/24] statd: Support IPv6 in sm_simu_crash_1_svc Chuck Lever
2010-01-14 17:31 ` [PATCH 15/24] sm-notify: Save mon_name and my_name strings Chuck Lever
2010-01-14 17:31 ` [PATCH 16/24] libnsm.a: Factor atomic write code out of nsm_get_state() Chuck Lever
2010-01-14 17:31 ` [PATCH 17/24] libnsm.a: Add support for multiple lines in monitor record files Chuck Lever
2010-01-14 17:31 ` [PATCH 18/24] statd: Add API to canonicalize mon_names Chuck Lever
2010-01-14 17:31 ` [PATCH 19/24] statd: Support IPv6 in sm_mon_1_svc() Chuck Lever
2010-01-14 17:31 ` [PATCH 20/24] statd: Support IPv6 in sm_stat_1_svc() Chuck Lever
2010-01-14 17:31 ` [PATCH 21/24] statd: Remove NL_ADDR() macro Chuck Lever
2010-01-14 17:32 ` Chuck Lever [this message]
2010-01-14 17:32 ` [PATCH 23/24] statd: Support TI-RPC statd listener Chuck Lever
2010-01-14 17:32 ` [PATCH 24/24] statd: update rpc.statd(8) and sm-notify(8) to reflect IPv6 support Chuck Lever
2010-01-16 13:22 ` [PATCH 00/24] Remaining IPv6 patches for statd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100114173203.26079.35147.stgit@localhost.localdomain \
--to=chuck.lever@oracle.com \
--cc=chris.mason@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox