Changeset 427 for vendor/current/source3/lib/system.c

Timestamp:

Apr 9, 2010, 3:20:58 PM (15 years ago)

Author:

Silvan Scherrer

Message:

Samba 3.5.x: update to 3.5.2

File:

• vendor/current/source3/lib/system.c (modified) (4 diffs)

vendor/current/source3/lib/system.c

@@ -884 +884 @@
 #if defined(HAVE_POSIX_CAPABILITIES)
 
-/* This define hasn't made it into the glibc capabilities header yet. */
-#ifndef SECURE_NO_SETUID_FIXUP
-#define SECURE_NO_SETUID_FIXUP          2
-#endif
-
 /**************************************************************************
  Try and abstract process capabilities (for systems that have them).
@@ -919 +914 @@
 #endif
 
-#if defined(HAVE_PRCTL) && defined(PR_SET_SECUREBITS) && defined(SECURE_NO_SETUID_FIXUP)
-        /* New way of setting capabilities as "sticky". */
-
-        /*
-         * Use PR_SET_SECUREBITS to prevent setresuid()
-         * atomically dropping effective capabilities on
-         * uid change. Only available in Linux kernels
-         * 2.6.26 and above.
-         *
-         * See here:
-         * http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
-         * for details.
-         *
-         * Specifically the CAP_KILL capability we need
-         * to allow Linux threads under different euids
-         * to send signals to each other.
-         */
-
-        if (prctl(PR_SET_SECUREBITS, 1 << SECURE_NO_SETUID_FIXUP)) {
-                DEBUG(0,("set_process_capability: "
-                        "prctl PR_SET_SECUREBITS failed with error %s\n",
-                        strerror(errno) ));
-                return false;
-        }
-#endif
-
         cap = cap_get_proc();
         if (cap == NULL) {
@@ -973 +942 @@
 #endif
                         break;
-                case KILL_CAPABILITY:
-#ifdef CAP_KILL
-                        cap_vals[num_cap_vals++] = CAP_KILL;
-#endif
-                        break;
         }
 
@@ -987 +951 @@
         }
 
-        /*
-         * Ensure the capability is effective. We assume that as a root
-         * process it's always permitted.
-         */
-
-        if (cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
-                        enable ? CAP_SET : CAP_CLEAR) == -1) {
-                DEBUG(0, ("set_process_capability: cap_set_flag effective "
-                        "failed (%d): %s\n",
-                        (int)capability,
-                        strerror(errno)));
-                cap_free(cap);
-                return false;
-        }
+        cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+                enable ? CAP_SET : CAP_CLEAR);
 
         /* We never want to pass capabilities down to our children, so make
          * sure they are not inherited.
          */
-        if (cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals,
-                        cap_vals, CAP_CLEAR) == -1) {
-                DEBUG(0, ("set_process_capability: cap_set_flag inheritable "
-                        "failed (%d): %s\n",
-                        (int)capability,
-                        strerror(errno)));
-                cap_free(cap);
-                return false;
-        }
+        cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
 
         if (cap_set_proc(cap) == -1) {
-                DEBUG(0, ("set_process_capability: cap_set_flag (%d) failed: %s\n",
-                        (int)capability,
+                DEBUG(0, ("set_process_capability: cap_set_proc failed: %s\n",
                         strerror(errno)));
                 cap_free(cap);