diff options
author | Andrew Morgan <morgan@kernel.org> | 2007-08-13 23:16:50 -0700 |
---|---|---|
committer | Andrew Morgan <morgan@kernel.org> | 2007-08-13 23:34:41 -0700 |
commit | cd45c57c35df7d2ff352ce74a27329e7fec39ae3 (patch) | |
tree | 193caa01752ff4c2e186ad32ebce9172b021fe34 | |
parent | fa0a8b847d6038b538762b8420cabe4569ecaada (diff) | |
download | libcap-cd45c57c35df7d2ff352ce74a27329e7fec39ae3.tar.gz |
Build with a pam_cap module.
Note, I've been confused about the capset/capget system calls.
It would seem that the current way(TM) is to get the raw API
from libc.
-rw-r--r-- | CHANGELOG | 4 | ||||
-rw-r--r-- | Make.Rules | 8 | ||||
-rw-r--r-- | Makefile | 5 | ||||
-rw-r--r-- | libcap/Makefile | 12 | ||||
-rw-r--r-- | libcap/cap_sys.c | 22 | ||||
-rw-r--r-- | pam_cap/Makefile | 16 | ||||
-rw-r--r-- | pam_cap/capability.conf | 7 | ||||
-rw-r--r-- | pam_cap/pam_cap.c | 11 | ||||
-rw-r--r-- | pam_cap/test.c | 10 | ||||
-rw-r--r-- | progs/setcap.c | 26 |
10 files changed, 65 insertions, 56 deletions
@@ -1,3 +1,7 @@ +* See GIT repository for recent history + + git://master.kernel.org/pub/scm/libs/libcap/libcap.git + libcap 1.10 * fixed cap_free to abide by correct documention - use it to free @@ -49,16 +49,16 @@ MINOR=99 CC=gcc COPTFLAGS=-O2 DEBUG=-O2 -g #-DDEBUG -WARNINGS=-fPIC -D_POSIX_SOURCE -Wall -Wwrite-strings \ +WARNINGS=-fPIC -Wall -Wwrite-strings \ -Wpointer-arith -Wcast-qual -Wcast-align \ -Wstrict-prototypes -Wmissing-prototypes \ -Wnested-externs -Winline -Wshadow -LD=ld -LDFLAGS=-s #-g +LD=$(CC) -Wl,-x -shared +LDFLAGS=#-g KERNEL_HEADERS = /usr/include SYSTEM_HEADERS = /usr/include -IPATH += -I$(topdir)/libcap/include +IPATH += -I$(topdir)/libcap/include -I$(KERNEL_HEADERS) INCS=$(topdir)/libcap/include/sys/capability.h LIBS=-L$(topdir)/libcap -lcap CFLAGS=-Dlinux $(WARNINGS) $(DEBUG) $(COPTFLAG) $(IPATH) @@ -1,8 +1,6 @@ # -# $Id: Makefile,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $ -# # Makefile for libcap - +# topdir=$(shell pwd) include Make.Rules @@ -12,6 +10,7 @@ include Make.Rules all install clean: %: %-here $(MAKE) -C libcap $(MAKE_DEFS) $@ + $(MAKE) -C pam_cap $(MAKE_DEFS) $@ $(MAKE) -C progs $(MAKE_DEFS) $@ $(MAKE) -C doc $(MAKE_DEFS) $@ diff --git a/libcap/Makefile b/libcap/Makefile index f875c33..52927c4 100644 --- a/libcap/Makefile +++ b/libcap/Makefile @@ -10,7 +10,7 @@ LIBNAME=$(LIBTITLE).so STALIBNAME=$(LIBTITLE).a # -FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_sys cap_file +FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file INCLS=libcap.h cap_names.h $(INCS) OBJS=$(addsuffix .o, $(FILES)) @@ -21,7 +21,7 @@ LDFLAGS+=-lattr all: $(MINLIBNAME) $(STALIBNAME) _makenames: _makenames.c cap_names.sed - $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ + $(CC) $(CFLAGS) $< -o $@ cap_names.h: _makenames ./_makenames > cap_names.h @@ -36,19 +36,13 @@ $(STALIBNAME): $(OBJS) ranlib $(STALIBNAME) $(MINLIBNAME): $(OBJS) - $(CC) $(COPTFLAG) -Wl,-soname,$(MAJLIBNAME) -Wl,-x -shared -o $@ $(OBJS) + $(LD) $(LDFLAGS) $(COPTFLAG) -Wl,-soname,$(MAJLIBNAME) -o $@ $(OBJS) ln -sf $(MINLIBNAME) $(MAJLIBNAME) ln -sf $(MAJLIBNAME) $(LIBNAME) %.o: %.c $(INCLS) $(CC) $(CFLAGS) -c $< -o $@ -<<<<<<< HEAD:libcap/Makefile -======= -cap_sys.o: cap_sys.c $(INCLS) - $(CC) -include $(SYSTEM_HEADERS)/linux/unistd.h $(IPATH) -fPIC -Wall -O2 -c $< -o $@ - ->>>>>>> Add tentitive support for filesystem capabilities with 2.6.23-mm kernels:libcap/Makefile install: all mkdir -p -m 0755 $(INCDIR)/sys install -m 0644 include/sys/capability.h $(INCDIR)/sys diff --git a/libcap/cap_sys.c b/libcap/cap_sys.c deleted file mode 100644 index 8a486b0..0000000 --- a/libcap/cap_sys.c +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (c) 1997-8 Andrew G. Morgan <morgan@kernel.org> - * - * This file contains the system calls for getting and setting - * capabilities - */ - -#define user /* for more recent 2.6 kernels */ - -#include <linux/unistd.h> -#include <sys/capability.h> - -#define user - -_syscall2(int, capget, - cap_user_header_t, header, - cap_user_data_t, data) - -_syscall2(int, capset, - cap_user_header_t, header, - const cap_user_data_t, data) - diff --git a/pam_cap/Makefile b/pam_cap/Makefile index 03d2597..453b63c 100644 --- a/pam_cap/Makefile +++ b/pam_cap/Makefile @@ -1,13 +1,19 @@ # simple make file for the pam_cap module +topdir=$(shell pwd)/.. +include ../Make.Rules + +all: pam_cap.so + $(MAKE) testcompile + pam_cap.so: pam_cap.o - ld -x --shared -o pam_cap.so $< -lcap + $(LD) -o pam_cap.so $< $(LIBS) pam_cap.o: pam_cap.c - $(CC) -fPIC -c $< + $(CC) $(CFLAGS) -c $< -o $@ -test: test.c pam_cap.o - $(CC) -o test test.c pam_cap.o -lpam -ldl -lcap +testcompile: test.c pam_cap.o + $(CC) $(CFLAGS) -o $@ $+ -lpam -ldl $(LIBS) clean: - rm -f *.o *.so test + rm -f *.o *.so testcompile diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf index 30e4984..40d85fc 100644 --- a/pam_cap/capability.conf +++ b/pam_cap/capability.conf @@ -8,10 +8,9 @@ # and thus you'll know about Linux's capability support. # [If you don't know about libcap, the sources for it are here: # -# ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/ +# http://linux.kernel.org/pub/linux/libs/security/linux-privs/ # -# despite evidence to the contrary, the 2-2 library should be used for 2.3 -# kernels too.] +# .] # # Here are some sample lines (remove the preceding '#' if you want to # use them @@ -23,7 +22,7 @@ # cap_net_raw,cap_fowner luser ## 'everyone else' gets no inheritable capabilities -# none * +none * ## if there is no '*' entry, all users not explicitly mentioned will ## get all available capabilities. This is a permissive default, and diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c index 2b887fc..94c5ebc 100644 --- a/pam_cap/pam_cap.c +++ b/pam_cap/pam_cap.c @@ -1,10 +1,8 @@ /* - * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org> + * Copyright (c) 1999,2007 Andrew G. Morgan <morgan@kernel.org> * * The purpose of this module is to enforce inheritable capability sets * for a specified user. - * - * $Id$ <- no version yet ;) */ /* #define DEBUG */ @@ -13,6 +11,8 @@ #include <string.h> #include <errno.h> #include <stdarg.h> +#include <stdlib.h> +#include <syslog.h> #include <sys/capability.h> @@ -60,7 +60,7 @@ static char *read_capabilities_for_user(const char *user, const char *source) continue; } - while (line = strtok(NULL, CAP_FILE_DELIMITERS)) { + while ((line = strtok(NULL, CAP_FILE_DELIMITERS))) { if (strcmp("*", line) == 0) { D(("wildcard matched")); @@ -191,7 +191,7 @@ cleanup_cap_s: cap_free(cap_s); cap_s = NULL; } - + return ok; } @@ -308,4 +308,3 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, return (retval ? PAM_SUCCESS:PAM_IGNORE ); } - diff --git a/pam_cap/test.c b/pam_cap/test.c index 692ac28..5150ba5 100644 --- a/pam_cap/test.c +++ b/pam_cap/test.c @@ -1,6 +1,12 @@ #include <stdio.h> +#include <stdlib.h> +#include <security/pam_modules.h> -main() +int main(int argc, char **argv) { - pam_sm_authenticate(NULL, 0, NULL, 0); + if (pam_sm_authenticate(NULL, 0, 0, NULL) != PAM_SUCCESS) { + printf("failed to authenticate\n"); + exit(1); + } + exit(0); } diff --git a/progs/setcap.c b/progs/setcap.c index b312212..8cd7e6a 100644 --- a/progs/setcap.c +++ b/progs/setcap.c @@ -58,14 +58,35 @@ int main(int argc, char **argv) { char buffer[MAXCAP+1]; int retval, quiet=0; - cap_t cap_d; + cap_t mycaps; + cap_value_t capflag; if (argc < 3) { usage(); } + mycaps = cap_get_proc(); + if (mycaps == NULL) { + perror("fatal error - unable to get process capabilities"); + exit(1); + } + capflag = CAP_SETFCAP; + + /* + * Raise the effective CAP_SETPCAP. + */ + if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET) != 0) { + perror("unable to manipulate CAP_SETFCAP - try a newer libcap?"); + exit(1); + } + if (cap_set_proc(mycaps) != 0) { + perror("unable to set CAP_SETFCAP effective capability"); + exit(1); + } + while (--argc > 0) { const char *text; + cap_t cap_d; if (!strcmp(*++argv,"-q")) { quiet = 1; @@ -102,6 +123,9 @@ int main(int argc, char **argv) if (--argc <= 0) usage(); + /* + * Set the filesystem capability for this file. + */ retval = cap_set_file(*++argv, cap_d); if (retval != 0) { fprintf(stderr, "Failed to set capabilities on file `%s' (%s)\n", |