Bugzilla – Attachment 2883 Details for
Bug 2625
Support Capabilities for ssh client port forwarding
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add configure bits, move Linux specific code to port-linux.c
openssh-linux-capabilities.patch (text/plain), 2.50 KB, created by
Darren Tucker
on 2016-10-24 12:21:40 AEDT
(
hide
)
Description:
Add configure bits, move Linux specific code to port-linux.c
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2016-10-24 12:21:40 AEDT
Size:
2.50 KB
patch
obsolete
>diff --git a/configure.ac b/configure.ac >index f5e1378..6dd6b9c 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -4699,6 +4699,24 @@ AC_ARG_WITH([bsd-auth], > ] > ) > >+AC_ARG_WITH([capabilities], >+ [ --with-capabilities Enable Linux capabilities], >+ [ >+ if test "x$withval" != "xno" ; then >+ AC_CHECK_DECL(CAP_NET_BIND_SERVICE, [], >+ [AC_MSG_ERROR([CAP_NET_BIND_SERVICE not found])], >+ [#include <sys/capability.h>] >+ ) >+ AC_SEARCH_LIBS([cap_get_proc], [cap], [ >+ AC_DEFINE([LINUX_CAPABILITIES], [1], >+ [Define if you want to use Linux capabilties]) >+ ], [ >+ AC_MSG_ERROR([libcap not found]) >+ ]) >+ fi >+ ] >+) >+ > # Where to place sshd.pid > piddir=/var/run > # make sure the directory exists >diff --git a/misc.c b/misc.c >index 07d4179..93df912 100644 >--- a/misc.c >+++ b/misc.c >@@ -1247,7 +1247,11 @@ forward_equals(const struct Forward *a, const struct Forward *b) > int > bind_permitted(int port, uid_t uid) > { >+#ifdef LINUX_CAPABILITIES >+ return linux_capability_bind_permitted(); >+#else > if (port < IPPORT_RESERVED && uid != 0) > return 0; > return 1; >+#endif > } >diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c >index e4c5d1b..0dd94f8 100644 >--- a/openbsd-compat/port-linux.c >+++ b/openbsd-compat/port-linux.c >@@ -16,12 +16,14 @@ > */ > > /* >- * Linux-specific portability code - just SELinux support at present >+ * Linux-specific portability code. >+ * - SELinux >+ * - OOM killer adjustments >+ * - Capabilities > */ > > #include "includes.h" > >-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) > #include <errno.h> > #include <stdarg.h> > #include <string.h> >@@ -306,4 +308,21 @@ oom_adjust_restore(void) > return; > } > #endif /* LINUX_OOM_ADJUST */ >-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ >+ >+#ifdef LINUX_CAPABILITIES >+#include <sys/capability.h> >+ >+int >+linux_capability_bind_permitted() >+{ >+ cap_flag_value_t e, p; >+ cap_t caps; >+ >+ if ((caps = cap_get_proc()) == NULL || >+ cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, &e) != 0 || >+ cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, &p) != 0 || >+ e != CAP_SET || p != CAP_SET) >+ return 0; >+ return 1; >+} >+#endif /* LINUX_CAPABILITIES */ >diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h >index 3c22a85..fb04005 100644 >--- a/openbsd-compat/port-linux.h >+++ b/openbsd-compat/port-linux.h >@@ -30,4 +30,8 @@ void oom_adjust_restore(void); > void oom_adjust_setup(void); > #endif > >+#ifdef LINUX_CAPABILITIES >+int linux_capability_bind_permitted(void); >+#endif >+ > #endif /* ! _PORT_LINUX_H */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2883">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2625
:
2880
|
2883
|
2941