Ethereal-dev: Re: [Ethereal-dev] Patch for Linux Capabilities

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Emanuele Caratti <wiz@xxxxxxxxx>
Date: Sat, 1 Nov 2003 16:33:51 +0100
On Wed, Oct 29, 2003 at 06:24:35PM -0800, Guy Harris wrote:

> >On the todo list I've to change drop_priv to use the libcap packaged
> >instead of capget/capset..
> 
> ...and update the configure scripts so that it'll automatically figure 
> out whether to use the capability bits - "config.h" and "Makefile" are 
> files generated by the configure script.

Ok... Now I've a patch also for configure.in and Makefile.am.
The capability support is by default off.
If enabled, via configure command line  --enable-linux-capab, the
sys/capability.h must exist.

The capab.c now use the library libcap, so it not tied to a specific
kernel. If needed I can put back the code to use the non portable
capset/capget, and add a configure switch or something similar....

....comments are welcome! :)

-- 
Ciao,
 Emanuele

Index: configure.in
===================================================================
RCS file: /usr/src/build/cvsroot/ethereal/configure.in,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.3
diff -u -u -r1.1.1.1 -r1.1.1.1.2.3
--- configure.in	8 Sep 2003 03:13:14 -0000	1.1.1.1
+++ configure.in	1 Nov 2003 15:07:46 -0000	1.1.1.1.2.3
@@ -525,6 +525,26 @@
 
 AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
 
+dnl Linux Capabilities
+AC_ARG_ENABLE(linux-capab,
+[  --enable-linux-capab [default=no (Needs libcap!)]],enable_linux_capab=$enableval,enable_linux_capab=no)
+
+AC_MSG_CHECKING(whether to use linux capability )
+if test "x$enable_linux_capab" = "xno" ; then
+	AC_MSG_RESULT(no)
+else
+	AC_MSG_RESULT(yes)
+	AC_CHECK_HEADERS(sys/capability.h)
+	if test "x$ac_cv_header_sys_capability_h" = "xyes" ; then
+		AC_DEFINE(ENABLE_LINUX_CAPABILITIES, 1, [Define to use Linux Capabilities ] )
+		LIBS="$LIBS -lcap"
+	else
+		enable_linux_capab=no
+	fi
+fi
+AM_CONDITIONAL(ENABLE_LINUX_CAPABILITIES, test x$enable_linux_capab = xyes)
+
+
 dnl Checks for header files.
 AC_HEADER_STDC
 AC_CHECK_HEADERS(fcntl.h sys/ioctl.h sys/time.h unistd.h stdarg.h netdb.h)
@@ -853,6 +873,7 @@
 echo "                      Build dftest : $enable_dftest"
 echo ""
 echo "                    Install setuid : $setuid_message"
+echo "                 Linux capabilities: $enable_linux_capab"
 echo "                       Use plugins : $have_plugins"
 echo "               Use GTK+ v2 library : $enable_gtk2"
 if test "x$enable_gtk2" = "xyes" ; then
Index: Makefile.am
===================================================================
RCS file: /usr/src/build/cvsroot/ethereal/Makefile.am,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -u -r1.1.1.1 -r1.1.1.1.2.1
--- Makefile.am	6 Sep 2003 23:22:34 -0000	1.1.1.1
+++ Makefile.am	1 Nov 2003 08:26:50 -0000	1.1.1.1.2.1
@@ -806,6 +806,10 @@
 	summary.h      \
 	ui_util.h
 
+if ENABLE_LINUX_CAPABILITIES
+ethereal_SOURCES+= capab.c
+endif
+
 EXTRA_ethereal_SOURCES = \
 	snprintf.c	\
 	snprintf.h	\
@@ -888,6 +892,10 @@
 	tethereal-tap-register.c \
 	register.c     \
 	tethereal.c
+
+if ENABLE_LINUX_CAPABILITIES
+tethereal_SOURCES+= capab.c
+endif
 
 # Additional libs that I know how to build. These will be
 # linked into the tethereal executable.
Index: tethereal.c
===================================================================
RCS file: /usr/src/build/cvsroot/ethereal/tethereal.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -u -r1.1.1.1 -r1.1.1.1.2.1
--- tethereal.c	8 Sep 2003 03:11:33 -0000	1.1.1.1
+++ tethereal.c	1 Nov 2003 08:26:51 -0000	1.1.1.1.2.1
@@ -68,6 +68,10 @@
 #include "getopt.h"
 #endif
 
+#ifdef ENABLE_LINUX_CAPABILITIES
+void drop_priv();
+#endif
+
 #include <glib.h>
 #include <epan/epan.h>
 #include <epan/filesystem.h>
@@ -798,6 +802,9 @@
   char                 badopt;
   ethereal_tap_list *tli;
 
+#ifdef ENABLE_LINUX_CAPABILITIES
+  drop_priv();
+#endif
   /* Register all dissectors; we must do this before checking for the
      "-G" flag, as the "-G" flag dumps information registered by the
      dissectors, and we must do it before we read the preferences, in
Index: gtk/main.c
===================================================================
RCS file: /usr/src/build/cvsroot/ethereal/gtk/main.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -u -r1.1.1.1 -r1.1.1.1.2.1
--- gtk/main.c	5 Sep 2003 02:10:25 -0000	1.1.1.1
+++ gtk/main.c	1 Nov 2003 08:26:55 -0000	1.1.1.1.2.1
@@ -68,6 +68,10 @@
 #include "getopt.h"
 #endif
 
+#ifdef ENABLE_LINUX_CAPABILITIES
+void drop_priv();
+#endif
+
 #ifdef WIN32 /* Needed for console I/O */
 #include <fcntl.h>
 #include <conio.h>
@@ -1546,6 +1550,9 @@
   char optstring[sizeof(OPTSTRING_INIT) + sizeof(OPTSTRING_CHILD) - 1] =
     OPTSTRING_INIT;
 
+#ifdef ENABLE_LINUX_CAPABILITIES
+  drop_priv();
+#endif
   ethereal_path = argv[0];
 
 #ifdef WIN32

/* capab.c
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *
 */

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>

#include <unistd.h>

#include <sys/capability.h>
#include <sys/prctl.h>

/* #define DEBUG_CAPABILITIES */

#ifdef DEBUG_CAPABILITIES
struct _cap_struct {
	    struct __user_cap_header_struct head;
		    struct __user_cap_data_struct set;
};

void
debug_print_priv(char *text)
{
	cap_t cap;
	struct _cap_struct *c;
	char *s;
	int p;

	int uid,euid,suid;
	int gid,egid,sgid;
	getresuid( &uid, &euid, &suid );
	getresgid( &gid, &egid, &sgid );

	printf("===\n%s\n",text);
	if( (cap = cap_get_proc()) == NULL ) {
		perror("cap_get_proc():");
		exit(1);
	}
	c = cap;
	s=cap_to_text(cap, NULL );
	if( ( p=prctl( PR_GET_KEEPCAPS, 0,0,0,0 ) ) < 0 ) 
		perror( "prctl:" );
	else 
		printf("KEEPCAPS: %d\n",p );
	printf("uid: %d, euid: %d, suid: %d\ngid: %d. egid: %d, sgid: %d\n", uid,euid,suid, gid,egid,sgid );
	printf("Caps: %s\n", s );

	printf("  effective = 0x%08x, permitted = 0x%08x, inheritable = 0x%08x\n",
			c->set.effective, c->set.permitted, c->set.inheritable);

	cap_free(s);
	printf("===\n\n");
}

#else
#define debug_print_priv( x ) 
#endif /* DEBUG_CAPABILITIES */

void
drop_priv()
{

	uid_t euid, uid;
	cap_t cap;

	euid = geteuid();
	uid = getuid();

	debug_print_priv("Before:");

	if (euid != 0) 
		return;

	if( prctl( PR_SET_KEEPCAPS, 1,0,0,0 ) < 0 ) 
		perror( "prctl:" );

	cap=cap_from_text( "cap_net_admin,cap_net_raw=pi" );
	if( cap_set_proc( cap ) < 0 ){
		perror("cap_set_proc(): ");
	}


	debug_print_priv("After cap_set_proc:");

	if (euid != uid) {
		if (setresuid(uid,uid,uid) < 0) {
			perror("setresuid()");
			exit(1);
		}
	}

	debug_print_priv("After setresuid:");

	cap=cap_from_text( "cap_net_admin,cap_net_raw=epi" );
	if( cap_set_proc( cap ) < 0 ){
		perror("cap_set_proc(): ");
	}

	debug_print_priv("After cap_set:");

}