diff options
| author | hasso <hasso> | 2004-04-06 11:59:00 +0000 |
|---|---|---|
| committer | hasso <hasso> | 2004-04-06 11:59:00 +0000 |
| commit | 41d3fc96959c9dea614822dfbb1891cd9a6f38a4 (patch) | |
| tree | b493df69256ed58534ddd9a00a9a900f1ed80c6e | |
| parent | 4991f6ca305a325d1ec7a38eeb2a7cf8cf6d7f2d (diff) | |
* Fixed lowering privileges in proc ipforward method.
* Fixed "(no) ipv6 forwarding" command logic.
* Added --disable-capabilities switch to configure.
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rwxr-xr-x | configure.ac | 34 | ||||
| -rw-r--r-- | zebra/ipforward_proc.c | 45 | ||||
| -rw-r--r-- | zebra/zserv.c | 16 |
4 files changed, 68 insertions, 33 deletions
@@ -1,3 +1,9 @@ +2004-04-06 Hasso Tepper <hasso@estpak.ee> + + * zebra/ipforward_proc.c: Fixed lowering privileges. + * zebra/zserv.c: Fixed "(no) ipv6 forwarding" command logic. + * configure.ac: Added --disable-capabilities switch to configure. + 2004-03-22 Hasso Tepper <hasso@estpak.ee> * Readded SIGTERM handling so daemons can clean up their stuff if they diff --git a/configure.ac b/configure.ac index 5f304db6..b55685ae 100755 --- a/configure.ac +++ b/configure.ac @@ -124,6 +124,8 @@ AC_ARG_ENABLE(logfile_mask, AC_ARG_ENABLE(rtadv, [ --disable-rtadv disable IPV6 router advertisement feature]) +AC_ARG_ENABLE(capabilities, +[ --disable-capabilities disable using POSIX capabilities]) if test "${enable_broken_aliases}" = "yes"; then if test "${enable_netlink}" = "yes" @@ -970,22 +972,24 @@ AC_TRY_COMPILE([#include <sys/resource.h> dnl ------------------- dnl capabilities checks dnl ------------------- -AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available) -AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);], - [AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl) - quagga_ac_keepcaps="yes"], - AC_MSG_RESULT(no) -) -if test x"${quagga_ac_keepcaps}" = x"yes"; then - AC_CHECK_HEADERS(sys/capability.h) -fi -if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then - AC_CHECK_LIB(cap, cap_init, - [AC_DEFINE(HAVE_LCAPS,1,Capabilities) - LIBCAP="-lcap" - ] +if test "${enable_capabilities}" != "no"; then + AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available) + AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl) + quagga_ac_keepcaps="yes"], + AC_MSG_RESULT(no) ) + if test x"${quagga_ac_keepcaps}" = x"yes"; then + AC_CHECK_HEADERS(sys/capability.h) + fi + if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then + AC_CHECK_LIB(cap, cap_init, + [AC_DEFINE(HAVE_LCAPS,1,Capabilities) + LIBCAP="-lcap" + ] + ) + fi fi AC_SUBST(LIBCAP) diff --git a/zebra/ipforward_proc.c b/zebra/ipforward_proc.c index befa2369..4c30cf67 100644 --- a/zebra/ipforward_proc.c +++ b/zebra/ipforward_proc.c @@ -81,16 +81,19 @@ ipforward_on () fp = fopen (proc_ipv4_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "1\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward (); } @@ -104,17 +107,19 @@ ipforward_off () fp = fopen (proc_ipv4_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "0\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward (); } #ifdef HAVE_IPV6 @@ -149,16 +154,19 @@ ipforward_ipv6_on () fp = fopen (proc_ipv6_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "1\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward_ipv6 (); } @@ -172,16 +180,19 @@ ipforward_ipv6_off () fp = fopen (proc_ipv6_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "0\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward_ipv6 (); } #endif /* HAVE_IPV6 */ diff --git a/zebra/zserv.c b/zebra/zserv.c index 833b369d..c623151e 100644 --- a/zebra/zserv.c +++ b/zebra/zserv.c @@ -1919,9 +1919,16 @@ DEFUN (ipv6_forwarding, { int ret; - ret = ipforward_ipv6_on (); + ret = ipforward_ipv6 (); if (ret != 0) { + vty_out (vty, "IPv6 forwarding is already on%s", VTY_NEWLINE); + return CMD_ERR_NOTHING_TODO; + } + + ret = ipforward_ipv6_on (); + if (ret == 0) + { vty_out (vty, "Can't turn on IPv6 forwarding%s", VTY_NEWLINE); return CMD_WARNING; } @@ -1938,6 +1945,13 @@ DEFUN (no_ipv6_forwarding, { int ret; + ret = ipforward_ipv6 (); + if (ret == 0) + { + vty_out (vty, "IP forwarding is already off%s", VTY_NEWLINE); + return CMD_ERR_NOTHING_TODO; + } + ret = ipforward_ipv6_off (); if (ret != 0) { |