summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rwxr-xr-xconfigure.ac34
-rw-r--r--zebra/ipforward_proc.c45
-rw-r--r--zebra/zserv.c16
4 files changed, 68 insertions, 33 deletions
diff --git a/ChangeLog b/ChangeLog
index 143df370..36c421f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2004-04-06 Hasso Tepper <hasso@estpak.ee>
+
+ * zebra/ipforward_proc.c: Fixed lowering privileges.
+ * zebra/zserv.c: Fixed "(no) ipv6 forwarding" command logic.
+ * configure.ac: Added --disable-capabilities switch to configure.
+
2004-03-22 Hasso Tepper <hasso@estpak.ee>
* Readded SIGTERM handling so daemons can clean up their stuff if they
diff --git a/configure.ac b/configure.ac
index 5f304db6..b55685ae 100755
--- a/configure.ac
+++ b/configure.ac
@@ -124,6 +124,8 @@ AC_ARG_ENABLE(logfile_mask,
AC_ARG_ENABLE(rtadv,
[ --disable-rtadv disable IPV6 router advertisement feature])
+AC_ARG_ENABLE(capabilities,
+[ --disable-capabilities disable using POSIX capabilities])
if test "${enable_broken_aliases}" = "yes"; then
if test "${enable_netlink}" = "yes"
@@ -970,22 +972,24 @@ AC_TRY_COMPILE([#include <sys/resource.h>
dnl -------------------
dnl capabilities checks
dnl -------------------
-AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available)
-AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);],
- [AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl)
- quagga_ac_keepcaps="yes"],
- AC_MSG_RESULT(no)
-)
-if test x"${quagga_ac_keepcaps}" = x"yes"; then
- AC_CHECK_HEADERS(sys/capability.h)
-fi
-if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then
- AC_CHECK_LIB(cap, cap_init,
- [AC_DEFINE(HAVE_LCAPS,1,Capabilities)
- LIBCAP="-lcap"
- ]
+if test "${enable_capabilities}" != "no"; then
+ AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available)
+ AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl)
+ quagga_ac_keepcaps="yes"],
+ AC_MSG_RESULT(no)
)
+ if test x"${quagga_ac_keepcaps}" = x"yes"; then
+ AC_CHECK_HEADERS(sys/capability.h)
+ fi
+ if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then
+ AC_CHECK_LIB(cap, cap_init,
+ [AC_DEFINE(HAVE_LCAPS,1,Capabilities)
+ LIBCAP="-lcap"
+ ]
+ )
+ fi
fi
AC_SUBST(LIBCAP)
diff --git a/zebra/ipforward_proc.c b/zebra/ipforward_proc.c
index befa2369..4c30cf67 100644
--- a/zebra/ipforward_proc.c
+++ b/zebra/ipforward_proc.c
@@ -81,16 +81,19 @@ ipforward_on ()
fp = fopen (proc_ipv4_forwarding, "w");
- if ( zserv_privs.change(ZPRIVS_LOWER) )
- zlog_err ("Can't lower privileges, %s", strerror (errno));
-
- if (fp == NULL)
+ if (fp == NULL) {
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
return -1;
+ }
fprintf (fp, "1\n");
fclose (fp);
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
+
return ipforward ();
}
@@ -104,17 +107,19 @@ ipforward_off ()
fp = fopen (proc_ipv4_forwarding, "w");
- if ( zserv_privs.change(ZPRIVS_LOWER) )
- zlog_err ("Can't lower privileges, %s", strerror (errno));
-
-
- if (fp == NULL)
+ if (fp == NULL) {
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
return -1;
+ }
fprintf (fp, "0\n");
fclose (fp);
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
+
return ipforward ();
}
#ifdef HAVE_IPV6
@@ -149,16 +154,19 @@ ipforward_ipv6_on ()
fp = fopen (proc_ipv6_forwarding, "w");
- if ( zserv_privs.change(ZPRIVS_LOWER) )
- zlog_err ("Can't lower privileges, %s", strerror (errno));
-
- if (fp == NULL)
+ if (fp == NULL) {
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
return -1;
+ }
fprintf (fp, "1\n");
fclose (fp);
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
+
return ipforward_ipv6 ();
}
@@ -172,16 +180,19 @@ ipforward_ipv6_off ()
fp = fopen (proc_ipv6_forwarding, "w");
- if ( zserv_privs.change(ZPRIVS_LOWER) )
- zlog_err ("Can't lower privileges, %s", strerror (errno));
-
- if (fp == NULL)
+ if (fp == NULL) {
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
return -1;
+ }
fprintf (fp, "0\n");
fclose (fp);
+ if ( zserv_privs.change(ZPRIVS_LOWER) )
+ zlog_err ("Can't lower privileges, %s", strerror (errno));
+
return ipforward_ipv6 ();
}
#endif /* HAVE_IPV6 */
diff --git a/zebra/zserv.c b/zebra/zserv.c
index 833b369d..c623151e 100644
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -1919,9 +1919,16 @@ DEFUN (ipv6_forwarding,
{
int ret;
- ret = ipforward_ipv6_on ();
+ ret = ipforward_ipv6 ();
if (ret != 0)
{
+ vty_out (vty, "IPv6 forwarding is already on%s", VTY_NEWLINE);
+ return CMD_ERR_NOTHING_TODO;
+ }
+
+ ret = ipforward_ipv6_on ();
+ if (ret == 0)
+ {
vty_out (vty, "Can't turn on IPv6 forwarding%s", VTY_NEWLINE);
return CMD_WARNING;
}
@@ -1938,6 +1945,13 @@ DEFUN (no_ipv6_forwarding,
{
int ret;
+ ret = ipforward_ipv6 ();
+ if (ret == 0)
+ {
+ vty_out (vty, "IP forwarding is already off%s", VTY_NEWLINE);
+ return CMD_ERR_NOTHING_TODO;
+ }
+
ret = ipforward_ipv6_off ();
if (ret != 0)
{