sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-12-08 00:00:29 -05:00
Code Issues Projects Releases Wiki Activity

Allow charon to change group on files before dropping caps

Browse Source 
Allow charon to start as a non-root user without CAP_CHOWN and still be
able to change the group on files that need to be accessed by charon
after capabilities have been dropped. This requires the user charon starts
as to have access to socket/pidfile directory as well as belong to the
group that charon will run as after dropping capabilities.

Closes strongswan/strongswan#105.
This commit is contained in:
Micah Morton 2018-06-08 11:55:30 -07:00 committed by Tobias Brunner
parent 1331010aa4
commit 4f1d2f2b09
2 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/charon/charon.c
View File

@ -231,15 +231,24 @@ static bool check_pidfile()
DBG1(DBG_LIB, "setting FD_CLOEXEC for '"PID_FILE"' failed: %s",
strerror(errno));
}
/* Only fchown() the pidfile if we have CAP_CHOWN. Otherwise,
* directory permissions should allow pidfile to be accessed
* by the UID/GID under which the charon daemon will run. */
/* Only change owner of the pidfile if we have CAP_CHOWN. Otherwise,
* attempt to change group of pidfile to group under which charon
* runs after dropping caps. This requires the user that charon
* starts as to:
* a) Have write access to the socket dir.
* b) Belong to the group that charon will run under after dropping
* caps. */
if (lib->caps->check(lib->caps, CAP_CHOWN))
{
ignore_result(fchown(fd,
lib->caps->get_uid(lib->caps),
lib->caps->get_gid(lib->caps)));
}
else
{
ignore_result(fchown(fd, -1,
lib->caps->get_gid(lib->caps)));
}
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
return FALSE;

26
src/libstrongswan/networking/streams/stream_service_unix.c
View File

@ -59,13 +59,27 @@ stream_service_t *stream_service_create_unix(char *uri, int backlog)
return NULL;
}
umask(old);
/* only attempt to chown() socket if we have CAP_CHOWN */
if (lib->caps->check(lib->caps, CAP_CHOWN) &&
chown(addr.sun_path, lib->caps->get_uid(lib->caps),
lib->caps->get_gid(lib->caps)) != 0)
/* Only attempt to change owner of socket if we have CAP_CHOWN. Otherwise,
* attempt to change group of socket to group under which charon runs after
* dropping caps. This requires the user that charon starts as to:
* a) Have write access to the socket dir.
* b) Belong to the group that charon will run under after dropping caps. */
if (lib->caps->check(lib->caps, CAP_CHOWN))
{
DBG1(DBG_NET, "changing socket permissions for '%s' failed: %s",
uri, strerror(errno));
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_NET, "changing socket owner/group for '%s' failed: %s",
uri, strerror(errno));
}
}
else
{
if (chown(addr.sun_path, -1, lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_NET, "changing socket group for '%s' failed: %s",
uri, strerror(errno));
}
}
if (listen(fd, backlog) < 0)
{