From 41d3fc96959c9dea614822dfbb1891cd9a6f38a4 Mon Sep 17 00:00:00 2001 From: hasso Date: Tue, 6 Apr 2004 11:59:00 +0000 Subject: * Fixed lowering privileges in proc ipforward method. * Fixed "(no) ipv6 forwarding" command logic. * Added --disable-capabilities switch to configure. --- ChangeLog | 6 ++++++ configure.ac | 34 +++++++++++++++++++--------------- zebra/ipforward_proc.c | 45 ++++++++++++++++++++++++++++----------------- zebra/zserv.c | 16 +++++++++++++++- 4 files changed, 68 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 143df370..36c421f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2004-04-06 Hasso Tepper + + * zebra/ipforward_proc.c: Fixed lowering privileges. + * zebra/zserv.c: Fixed "(no) ipv6 forwarding" command logic. + * configure.ac: Added --disable-capabilities switch to configure. + 2004-03-22 Hasso Tepper * Readded SIGTERM handling so daemons can clean up their stuff if they diff --git a/configure.ac b/configure.ac index 5f304db6..b55685ae 100755 --- a/configure.ac +++ b/configure.ac @@ -124,6 +124,8 @@ AC_ARG_ENABLE(logfile_mask, AC_ARG_ENABLE(rtadv, [ --disable-rtadv disable IPV6 router advertisement feature]) +AC_ARG_ENABLE(capabilities, +[ --disable-capabilities disable using POSIX capabilities]) if test "${enable_broken_aliases}" = "yes"; then if test "${enable_netlink}" = "yes" @@ -970,22 +972,24 @@ AC_TRY_COMPILE([#include dnl ------------------- dnl capabilities checks dnl ------------------- -AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available) -AC_TRY_COMPILE([#include ],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);], - [AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl) - quagga_ac_keepcaps="yes"], - AC_MSG_RESULT(no) -) -if test x"${quagga_ac_keepcaps}" = x"yes"; then - AC_CHECK_HEADERS(sys/capability.h) -fi -if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then - AC_CHECK_LIB(cap, cap_init, - [AC_DEFINE(HAVE_LCAPS,1,Capabilities) - LIBCAP="-lcap" - ] +if test "${enable_capabilities}" != "no"; then + AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available) + AC_TRY_COMPILE([#include ],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);], + [AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl) + quagga_ac_keepcaps="yes"], + AC_MSG_RESULT(no) ) + if test x"${quagga_ac_keepcaps}" = x"yes"; then + AC_CHECK_HEADERS(sys/capability.h) + fi + if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then + AC_CHECK_LIB(cap, cap_init, + [AC_DEFINE(HAVE_LCAPS,1,Capabilities) + LIBCAP="-lcap" + ] + ) + fi fi AC_SUBST(LIBCAP) diff --git a/zebra/ipforward_proc.c b/zebra/ipforward_proc.c index befa2369..4c30cf67 100644 --- a/zebra/ipforward_proc.c +++ b/zebra/ipforward_proc.c @@ -81,16 +81,19 @@ ipforward_on () fp = fopen (proc_ipv4_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "1\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward (); } @@ -104,17 +107,19 @@ ipforward_off () fp = fopen (proc_ipv4_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "0\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward (); } #ifdef HAVE_IPV6 @@ -149,16 +154,19 @@ ipforward_ipv6_on () fp = fopen (proc_ipv6_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "1\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward_ipv6 (); } @@ -172,16 +180,19 @@ ipforward_ipv6_off () fp = fopen (proc_ipv6_forwarding, "w"); - if ( zserv_privs.change(ZPRIVS_LOWER) ) - zlog_err ("Can't lower privileges, %s", strerror (errno)); - - if (fp == NULL) + if (fp == NULL) { + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); return -1; + } fprintf (fp, "0\n"); fclose (fp); + if ( zserv_privs.change(ZPRIVS_LOWER) ) + zlog_err ("Can't lower privileges, %s", strerror (errno)); + return ipforward_ipv6 (); } #endif /* HAVE_IPV6 */ diff --git a/zebra/zserv.c b/zebra/zserv.c index 833b369d..c623151e 100644 --- a/zebra/zserv.c +++ b/zebra/zserv.c @@ -1919,8 +1919,15 @@ DEFUN (ipv6_forwarding, { int ret; - ret = ipforward_ipv6_on (); + ret = ipforward_ipv6 (); if (ret != 0) + { + vty_out (vty, "IPv6 forwarding is already on%s", VTY_NEWLINE); + return CMD_ERR_NOTHING_TODO; + } + + ret = ipforward_ipv6_on (); + if (ret == 0) { vty_out (vty, "Can't turn on IPv6 forwarding%s", VTY_NEWLINE); return CMD_WARNING; @@ -1938,6 +1945,13 @@ DEFUN (no_ipv6_forwarding, { int ret; + ret = ipforward_ipv6 (); + if (ret == 0) + { + vty_out (vty, "IP forwarding is already off%s", VTY_NEWLINE); + return CMD_ERR_NOTHING_TODO; + } + ret = ipforward_ipv6_off (); if (ret != 0) { -- cgit v1.2.1