Changeset 423 for branches/samba-3.3.x/source
- Timestamp:
- Mar 9, 2010, 7:58:12 AM (15 years ago)
- Location:
- branches/samba-3.3.x/source
- Files:
-
- 4 edited
-
VERSION (modified) (1 diff)
-
include/smb.h (modified) (1 diff)
-
lib/system.c (modified) (4 diffs)
-
smbd/server.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.3.x/source/VERSION
r411 r423 26 26 SAMBA_VERSION_MAJOR=3 27 27 SAMBA_VERSION_MINOR=3 28 SAMBA_VERSION_RELEASE=1 128 SAMBA_VERSION_RELEASE=12 29 29 30 30 ######################################################## -
branches/samba-3.3.x/source/include/smb.h
r411 r423 1685 1685 KERNEL_OPLOCK_CAPABILITY, 1686 1686 DMAPI_ACCESS_CAPABILITY, 1687 LEASE_CAPABILITY, 1688 KILL_CAPABILITY 1687 LEASE_CAPABILITY 1689 1688 }; 1690 1689 -
branches/samba-3.3.x/source/lib/system.c
r411 r423 708 708 #if defined(HAVE_POSIX_CAPABILITIES) 709 709 710 /* This define hasn't made it into the glibc capabilities header yet. */711 #ifndef SECURE_NO_SETUID_FIXUP712 #define SECURE_NO_SETUID_FIXUP 2713 #endif714 715 710 /************************************************************************** 716 711 Try and abstract process capabilities (for systems that have them). … … 743 738 #endif 744 739 745 #if defined(HAVE_PRCTL) && defined(PR_SET_SECUREBITS) && defined(SECURE_NO_SETUID_FIXUP)746 /* New way of setting capabilities as "sticky". */747 748 /*749 * Use PR_SET_SECUREBITS to prevent setresuid()750 * atomically dropping effective capabilities on751 * uid change. Only available in Linux kernels752 * 2.6.26 and above.753 *754 * See here:755 * http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html756 * for details.757 *758 * Specifically the CAP_KILL capability we need759 * to allow Linux threads under different euids760 * to send signals to each other.761 */762 763 if (prctl(PR_SET_SECUREBITS, 1 << SECURE_NO_SETUID_FIXUP)) {764 DEBUG(0,("set_process_capability: "765 "prctl PR_SET_SECUREBITS failed with error %s\n",766 strerror(errno) ));767 return false;768 }769 #endif770 771 740 cap = cap_get_proc(); 772 741 if (cap == NULL) { … … 797 766 #endif 798 767 break; 799 case KILL_CAPABILITY:800 #ifdef CAP_KILL801 cap_vals[num_cap_vals++] = CAP_KILL;802 #endif803 break;804 768 } 805 769 … … 811 775 } 812 776 813 /* 814 * Ensure the capability is effective. We assume that as a root 815 * process it's always permitted. 816 */ 817 818 if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals, 819 enable ? CAP_SET : CAP_CLEAR) == -1) { 820 DEBUG(0, ("set_process_capability: cap_set_flag effective " 821 "failed (%d): %s\n", 822 (int)capability, 823 strerror(errno))); 824 cap_free(cap); 825 return false; 826 } 777 cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals, 778 enable ? CAP_SET : CAP_CLEAR); 827 779 828 780 /* We never want to pass capabilities down to our children, so make 829 781 * sure they are not inherited. 830 782 */ 831 if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, 832 cap_vals, CAP_CLEAR) == -1) { 833 DEBUG(0, ("set_process_capability: cap_set_flag inheritable " 834 "failed (%d): %s\n", 835 (int)capability, 836 strerror(errno))); 837 cap_free(cap); 838 return false; 839 } 783 cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR); 840 784 841 785 if (cap_set_proc(cap) == -1) { 842 DEBUG(0, ("set_process_capability: cap_set_flag (%d) failed: %s\n", 843 (int)capability, 786 DEBUG(0, ("set_process_capability: cap_set_proc failed: %s\n", 844 787 strerror(errno))); 845 788 cap_free(cap); -
branches/samba-3.3.x/source/smbd/server.c
r411 r423 1248 1248 gain_root_group_privilege(); 1249 1249 1250 /*1251 * Ensure we have CAP_KILL capability set on Linux,1252 * where we need this to communicate with threads.1253 * This is inherited by new threads, but not by new1254 * processes across exec().1255 */1256 set_effective_capability(KILL_CAPABILITY);1257 1258 1250 fault_setup((void (*)(void *))exit_server_fault); 1259 1251 dump_core_setup("smbd");
Note:
See TracChangeset
for help on using the changeset viewer.
