diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2008-11-10 18:00:28 -0800 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2008-11-10 18:00:28 -0800 |
| commit | 1b5fb7eb0d8737e961ded5ce731d7f10a26da8f1 (patch) | |
| tree | de11d77db28e0c1ee060cf50175a891986f725df | |
| parent | 7d068bbe81977dd1354605003bb8ae91127d0253 (diff) | |
| download | libcap-1b5fb7eb0d8737e961ded5ce731d7f10a26da8f1.tar.gz | |
Makefile tweaks mostly
add rule to build HTML
add LIBATTR=no makefile support for not including filesystem support
comment cleanup for cap_file.c.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
| -rw-r--r-- | Make.Rules | 1 | ||||
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | doc/Makefile | 11 | ||||
| -rw-r--r-- | libcap/Makefile | 10 | ||||
| -rw-r--r-- | libcap/cap_file.c | 2 | ||||
| -rw-r--r-- | progs/Makefile | 8 | ||||
| -rwxr-xr-x | progs/quicktest.sh | 20 |
7 files changed, 49 insertions, 8 deletions
@@ -66,6 +66,7 @@ CFLAGS += -Dlinux $(WARNINGS) $(DEBUG) $(IPATH) PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi) INDENT := $(shell if [ -z "$(which ident 2>/dev/null)" ]; then echo "| indent -kr" ; fi) DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi) +LIBATTR := yes # Global cleanup stuff @@ -1,4 +1,3 @@ - This is a library for getting and setting POSIX.1e (formerly POSIX 6) draft 15 capabilities. @@ -8,7 +7,7 @@ This library would not have been possible without the help of More information on capabilities in the Linux kernel can be found at - http://linux.kernel.org/pub/linux/libs/security/linux-privs/ + http://sites.google.com/site/fullycapable/ # INSTALLATION @@ -18,7 +17,7 @@ More information on capabilities in the Linux kernel can be found at Linux-Caps % make install - installs the library libcap.XX.Y in /lib/ + installs the library libcap.XX.Y in /lib[64]/ the binaries in /sbin/ the <sys/capability.h> file in /usr/include diff --git a/doc/Makefile b/doc/Makefile index eb4b6a8..ba5ee92 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -18,6 +18,15 @@ MANS = $(MAN3S) $(MAN8S) all: $(MANS) +.PHONY: html +html: + mkdir -p html + for man in $(MANS) ; \ + do \ + egrep '^\.so man' $$man > /dev/null || \ + groff -man -Thtml $$man > html/$$man.html ; \ + done + install: mkdir -p -m 755 $(MANDIR)/man3 $(MANDIR)/man8 for man in \ @@ -33,4 +42,6 @@ install: clean: $(LOCALCLEAN) + rm -rf html + diff --git a/libcap/Makefile b/libcap/Makefile index 6b7fcf2..a47e672 100644 --- a/libcap/Makefile +++ b/libcap/Makefile @@ -10,14 +10,20 @@ LIBNAME=$(LIBTITLE).so STALIBNAME=$(LIBTITLE).a # -FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file +FILES=cap_alloc cap_proc cap_extint cap_flag cap_text + +# make including file support something you can override (no libattr +# no support). +ifeq ($(LIBATTR),yes) +FILES += cap_file +LDFLAGS += -lattr +endif INCLS=libcap.h cap_names.h $(INCS) OBJS=$(addsuffix .o, $(FILES)) MAJLIBNAME=$(LIBNAME).$(VERSION) MINLIBNAME=$(MAJLIBNAME).$(MINOR) GPERF_OUTPUT = _caps_output.gperf -LDFLAGS += -lattr all: $(MINLIBNAME) $(STALIBNAME) diff --git a/libcap/cap_file.c b/libcap/cap_file.c index 7084799..634e601 100644 --- a/libcap/cap_file.c +++ b/libcap/cap_file.c @@ -199,7 +199,7 @@ cap_t cap_get_fd(int fildes) } /* - * Set the capabilities on a named file. + * Get the capabilities from a named file. */ cap_t cap_get_file(const char *filename) diff --git a/progs/Makefile b/progs/Makefile index a2ebfe4..a1542dc 100644 --- a/progs/Makefile +++ b/progs/Makefile @@ -4,7 +4,11 @@ include $(topdir)/Make.Rules # # Programs: all of the examples that we will compile # -PROGS=getpcaps getcap setcap capsh +PROGS=getpcaps capsh +ifeq ($(LIBATTR),yes) +PROGS += getcap setcap +endif + BUILD=$(PROGS) ifneq ($(DYNAMIC),yes) @@ -28,4 +32,4 @@ install: all clean: $(LOCALCLEAN) - rm -f *.o $(BUILD) tcapsh ping + rm -f *.o $(BUILD) tcapsh ping hack.sh diff --git a/progs/quicktest.sh b/progs/quicktest.sh index dacc651..7e7edd5 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -104,3 +104,23 @@ pass_capsh --secbits=47 --inh=cap_net_raw --drop=cap_net_raw \ --uid=500 --print -- -c "./ping -c1 localhost" rm -f ./ping + +# test that we do not support capabilities on setuid shell-scripts +cat > hack.sh <<EOF +#!/bin/bash +mypid=\$\$ +caps=\$(./getpcaps \$mypid 2>&1 | cut -d: -f2) +if [ "\$caps" != " =" ]; then + echo "Shell script got [\$caps] - you should upgrade your kernel" + exit 1 +fi +exit 0 +EOF +chmod +xs hack.sh +./hack.sh +status=$? +rm -f ./hack.sh +if [ $status -ne 0 ]; then + echo "shell scripts can have capabilities (bug)" + exit 1 +fi |