103 lines
3.1 KiB
Diff
103 lines
3.1 KiB
Diff
|
diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
|
||
|
--- iputils-s20101006/Makefile.drop_caps 2010-11-08 09:31:42.000000000 +0100
|
||
|
+++ iputils-s20101006/Makefile 2010-11-08 09:34:26.858580455 +0100
|
||
|
@@ -13,7 +13,7 @@ ADDLIB=
|
||
|
CC=gcc
|
||
|
# What a pity, all new gccs are buggy and -Werror does not work. Sigh.
|
||
|
CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
|
||
|
-DEFINES += -D_GNU_SOURCE
|
||
|
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
|
||
|
CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
|
||
|
|
||
|
IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
|
||
|
@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
|
||
|
arping: arping.o
|
||
|
|
||
|
ping: ping.o ping_common.o
|
||
|
- $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
|
||
|
+ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
|
||
|
|
||
|
ping6: ping6.o ping_common.o
|
||
|
- $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
|
||
|
+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
|
||
|
|
||
|
ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
|
||
|
tftpd.o tftpsubs.o: tftp.h
|
||
|
diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
|
||
|
--- iputils-s20101006/ping6.c.drop_caps 2010-11-08 09:31:42.120827826 +0100
|
||
|
+++ iputils-s20101006/ping6.c 2010-11-08 09:31:42.125837869 +0100
|
||
|
@@ -73,6 +73,10 @@ char copyright[] =
|
||
|
#include <netinet/icmp6.h>
|
||
|
#include <resolv.h>
|
||
|
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+#include <sys/capability.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#include "ping6_niquery.h"
|
||
|
#include "in6_flowlabel.h"
|
||
|
|
||
|
@@ -533,10 +537,22 @@ int main(int argc, char *argv[])
|
||
|
int csum_offset, sz_opt;
|
||
|
#endif
|
||
|
static uint32_t scope_id = 0;
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+ cap_t caps;
|
||
|
+#endif
|
||
|
|
||
|
icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
|
||
|
socket_errno = errno;
|
||
|
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+ /* drop all capabilities unconditionally so even root isn't special anymore */
|
||
|
+ caps = cap_init();
|
||
|
+ if (cap_set_proc(caps) < 0) {
|
||
|
+ perror("ping: cap_set_proc");
|
||
|
+ exit(-1);
|
||
|
+ }
|
||
|
+#endif
|
||
|
+
|
||
|
uid = getuid();
|
||
|
if (setuid(uid)) {
|
||
|
perror("ping: setuid");
|
||
|
diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
|
||
|
--- iputils-s20101006/ping.c.drop_caps 2010-11-08 09:31:42.096854873 +0100
|
||
|
+++ iputils-s20101006/ping.c 2010-11-08 09:31:42.127870437 +0100
|
||
|
@@ -66,6 +66,10 @@ char copyright[] =
|
||
|
#include <netinet/ip.h>
|
||
|
#include <netinet/ip_icmp.h>
|
||
|
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+#include <sys/capability.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#ifndef ICMP_FILTER
|
||
|
#define ICMP_FILTER 1
|
||
|
struct icmp_filter {
|
||
|
@@ -125,6 +129,9 @@ main(int argc, char **argv)
|
||
|
u_char *packet;
|
||
|
char *target, hnamebuf[MAX_HOSTNAMELEN];
|
||
|
char rspace[3 + 4 * NROUTES + 1]; /* record route space */
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+ cap_t caps;
|
||
|
+#endif
|
||
|
|
||
|
char *idn;
|
||
|
int rc = 0;
|
||
|
@@ -133,6 +140,15 @@ main(int argc, char **argv)
|
||
|
icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
|
||
|
socket_errno = errno;
|
||
|
|
||
|
+#ifdef HAVE_CAPABILITIES
|
||
|
+ /* drop all capabilities unconditionally so even root isn't special anymore */
|
||
|
+ caps = cap_init();
|
||
|
+ if (cap_set_proc(caps) < 0) {
|
||
|
+ perror("ping: cap_set_proc");
|
||
|
+ exit(-1);
|
||
|
+ }
|
||
|
+#endif
|
||
|
+
|
||
|
uid = getuid();
|
||
|
if (setuid(uid)) {
|
||
|
perror("ping: setuid");
|