Attachment 2880 Details for Bug 2625 – Don't require a root if there is CAP_NET_BIND_SERVICE

[patch] Don't require a root if there is CAP_NET_BIND_SERVICE

privileged-port-forwarding-with-capabilities.patch (text/plain), 1.31 KB, created by Alexey Mochkin on 2016-10-17 21:15:34 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Alexey Mochkin

Created: 2016-10-17 21:15:34 AEDT

Size: 1.31 KB

patch

obsolete

>--- openssh-7.3p1.orig/readconf.c
>+++ openssh-7.3p1/readconf.c
>@@ -15,6 +15,7 @@
> #include "includes.h"
> 
> #include <sys/types.h>
>+#include <sys/capability.h>
> #include <sys/stat.h>
> #include <sys/socket.h>
> #include <sys/wait.h>
>@@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
> 	extern uid_t original_real_uid;
> 	int i;
> 
>+	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
>+	cap_t caps;
>+
>+	caps = cap_get_proc();
>+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, &cap_flag_value_e);
>+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, &cap_flag_value_p);
>+
>+			//caps & CAP_TO_MASK(CAP_NET_BIND_SERVICE) != CAP_TO_MASK(CAP_NET_BIND_SERVICE) &&
> 	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
>+			(cap_flag_value_e != CAP_SET || cap_flag_value_p != CAP_SET) &&
> 	    newfwd->listen_path == NULL)
> 		fatal("Privileged ports can only be forwarded by root.");
> 	/* Don't add duplicates */
>--- openssh-7.3p1.orig/configure.ac
>+++ openssh-7.3p1/configure.ac
>@@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
> 	use_pie=auto
> 	check_for_libcrypt_later=1
> 	check_for_openpty_ctty_bug=1
>+	# libcap
>+	# use capabilities
>+	LIBS="$LIBS -lcap"
> 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
> 		[Work around problematic Linux PAM modules handling of PAM_TTY])
> 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],

Actions: View | Diff

Attachments on bug 2625: 2880 | 2883 | 2941