diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile --- iputils-s20101006/Makefile.drop_caps 2010-11-08 14:49:53.334577997 +0100 +++ iputils-s20101006/Makefile 2010-11-08 14:49:53.342599113 +0100 @@ -13,7 +13,7 @@ ADDLIB= CC=gcc # What a pity, all new gccs are buggy and -Werror does not work. Sigh. CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror -DEFINES += -D_GNU_SOURCE +DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES) IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd @@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o arping: arping.o ping: ping.o ping_common.o - $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping + $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping ping6: ping6.o ping_common.o - $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6 + $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6 ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h tftpd.o tftpsubs.o: tftp.h diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c --- iputils-s20101006/ping6.c.drop_caps 2010-11-08 14:49:53.338587611 +0100 +++ iputils-s20101006/ping6.c 2010-12-15 16:06:16.949794002 +0100 @@ -73,6 +73,10 @@ char copyright[] = #include #include +#ifdef HAVE_CAPABILITIES +#include +#endif + #include "ping6_niquery.h" #include "in6_flowlabel.h" @@ -533,6 +537,9 @@ int main(int argc, char *argv[]) int csum_offset, sz_opt; #endif static uint32_t scope_id = 0; +#ifdef HAVE_CAPABILITIES + cap_t caps; +#endif icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); socket_errno = errno; @@ -543,6 +550,16 @@ int main(int argc, char *argv[]) exit(-1); } +#ifdef HAVE_CAPABILITIES + /* drop all capabilities unconditionally so even root isn't special anymore */ + caps = cap_init(); + if (cap_set_proc(caps) < 0) { + perror("ping: cap_set_proc"); + exit(-1); + } + cap_free(caps); +#endif + source.sin6_family = AF_INET6; memset(&firsthop, 0, sizeof(firsthop)); firsthop.sin6_family = AF_INET6; diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c --- iputils-s20101006/ping.c.drop_caps 2010-11-08 14:49:53.314577272 +0100 +++ iputils-s20101006/ping.c 2010-12-15 16:05:52.113794002 +0100 @@ -66,6 +66,10 @@ char copyright[] = #include #include +#ifdef HAVE_CAPABILITIES +#include +#endif + #ifndef ICMP_FILTER #define ICMP_FILTER 1 struct icmp_filter { @@ -125,6 +129,9 @@ main(int argc, char **argv) u_char *packet; char *target, hnamebuf[MAX_HOSTNAMELEN]; char rspace[3 + 4 * NROUTES + 1]; /* record route space */ +#ifdef HAVE_CAPABILITIES + cap_t caps; +#endif char *idn; int rc = 0; @@ -139,6 +146,16 @@ main(int argc, char **argv) exit(-1); } +#ifdef HAVE_CAPABILITIES + /* drop all capabilities unconditionally so even root isn't special anymore */ + caps = cap_init(); + if (cap_set_proc(caps) < 0) { + perror("ping: cap_set_proc"); + exit(-1); + } + cap_free(caps); +#endif + source.sin_family = AF_INET; preload = 1;