diff options
-rw-r--r-- | src/shared/capability.c | 71 | ||||
-rw-r--r-- | src/shared/capability.h | 2 | ||||
-rw-r--r-- | src/shared/util.c | 3 | ||||
-rw-r--r-- | src/timesync/timesyncd.c | 68 |
4 files changed, 74 insertions, 70 deletions
diff --git a/src/shared/capability.c b/src/shared/capability.c index b49c514009..69e054b1ff 100644 --- a/src/shared/capability.c +++ b/src/shared/capability.c @@ -29,12 +29,13 @@ #include <ctype.h> #include <sys/capability.h> #include <sys/prctl.h> +#include "grp.h" #include "macro.h" -#include "capability.h" #include "util.h" #include "log.h" #include "fileio.h" +#include "capability.h" int have_effective_cap(int value) { _cleanup_cap_free_ cap_t cap; @@ -212,3 +213,71 @@ int capability_bounding_set_drop_usermode(uint64_t drop) { return r; } + +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites) { + + _cleanup_cap_free_ cap_t d = NULL; + cap_value_t bits[sizeof(keep_capabilites)*8]; + unsigned i, j = 0; + int r; + + /* Unfortunately we cannot leave privilege dropping to PID 1 + * here, since we want to run as user but want to keep some + * capabilities. Since file capabilities have been introduced + * this cannot be done across exec() anymore, unless our + * binary has the capability configured in the file system, + * which we want to avoid. */ + + if (setresgid(gid, gid, gid) < 0) { + log_error("Failed change group ID: %m"); + return -errno; + } + + if (setgroups(0, NULL) < 0) { + log_error("Failed to drop auxiliary groups list: %m"); + return -errno; + } + + if (prctl(PR_SET_KEEPCAPS, 1) < 0) { + log_error("Failed to enable keep capabilities flag: %m"); + return -errno; + } + + r = setresuid(uid, uid, uid); + if (r < 0) { + log_error("Failed change user ID: %m"); + return -errno; + } + + if (prctl(PR_SET_KEEPCAPS, 0) < 0) { + log_error("Failed to disable keep capabilities flag: %m"); + return -errno; + } + + r = capability_bounding_set_drop(~keep_capabilites, true); + if (r < 0) { + log_error("Failed to drop capabilities: %s", strerror(-r)); + return r; + } + + d = cap_init(); + if (!d) + return log_oom(); + + for (i = 0; i < sizeof(keep_capabilites)*8; i++) + if (keep_capabilites & (1ULL << i)) + bits[j++] = i; + + if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { + log_error("Failed to enable capabilities bits: %m"); + return -errno; + } + + if (cap_set_proc(d) < 0) { + log_error("Failed to increase capabilities: %m"); + return -errno; + } + + return 0; +} diff --git a/src/shared/capability.h b/src/shared/capability.h index 64f86410ab..3e6d9995f5 100644 --- a/src/shared/capability.h +++ b/src/shared/capability.h @@ -32,6 +32,8 @@ int have_effective_cap(int value); int capability_bounding_set_drop(uint64_t drop, bool right_now); int capability_bounding_set_drop_usermode(uint64_t drop); +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites); + DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free); #define _cleanup_cap_free_ _cleanup_(cap_freep) diff --git a/src/shared/util.c b/src/shared/util.c index 17b0ae16cf..4a3e35f356 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -6480,8 +6480,7 @@ void hexdump(FILE *f, const void *p, size_t s) { } } -int update_reboot_param_file(const char *param) -{ +int update_reboot_param_file(const char *param) { int r = 0; if (param) { diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c index a56bbc30ca..27f6b2d226 100644 --- a/src/timesync/timesyncd.c +++ b/src/timesync/timesyncd.c @@ -1196,72 +1196,6 @@ static int manager_network_monitor_listen(Manager *m) { return 0; } -static int drop_privileges(uid_t uid, gid_t gid) { - - static const cap_value_t bits[] = { - CAP_SYS_TIME, - }; - - _cleanup_cap_free_ cap_t d = NULL; - int r; - - /* Unfortunately we cannot leave privilege dropping to PID 1 - * here, since we want to run as user but want to keep te - * CAP_SYS_TIME capability. Since file capabilities have been - * introduced this cannot be done across exec() anymore, - * unless our binary has the capability configured in the file - * system, which we want to avoid. */ - - if (setresgid(gid, gid, gid) < 0) { - log_error("Failed change group ID: %m"); - return -errno; - } - - if (setgroups(0, NULL) < 0) { - log_error("Failed to drop auxiliary groups list: %m"); - return -errno; - } - - if (prctl(PR_SET_KEEPCAPS, 1) < 0) { - log_error("Failed to enable keep capabilities flag: %m"); - return -errno; - } - - r = setresuid(uid, uid, uid); - if (r < 0) { - log_error("Failed change user ID: %m"); - return -errno; - } - - if (prctl(PR_SET_KEEPCAPS, 0) < 0) { - log_error("Failed to disable keep capabilities flag: %m"); - return -errno; - } - - r = capability_bounding_set_drop(~(1ULL << CAP_SYS_TIME), true); - if (r < 0) { - log_error("Failed to drop capabilities: %s", strerror(-r)); - return r; - } - - d = cap_init(); - if (!d) - return log_oom(); - - if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || - cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) { - log_error("Failed to enable capabilities bits: %m"); - return -errno; - } - - if (cap_set_proc(d) < 0) { - log_error("Failed to increase capabilities: %m"); - return -errno; - } - - return 0; -} - int main(int argc, char *argv[]) { const char *user = "systemd-timesync"; _cleanup_manager_free_ Manager *m = NULL; @@ -1291,7 +1225,7 @@ int main(int argc, char *argv[]) { if (r < 0) goto out; - r = drop_privileges(uid, gid); + r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME)); if (r < 0) goto out; |