Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 879075 Details for
Bug 1039346
VPNaaS' vpn service remains in PENDING_CREATE due to missing permissions to write a lock directory
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch to move CAP_DAC_OVERRIDE drop after we create the socket
libreswan-3.8-neutron.patch (text/plain), 1.92 KB, created by
Paul Wouters
on 2014-03-26 15:54:42 UTC
(
hide
)
Description:
patch to move CAP_DAC_OVERRIDE drop after we create the socket
Filename:
MIME Type:
Creator:
Paul Wouters
Created:
2014-03-26 15:54:42 UTC
Size:
1.92 KB
patch
obsolete
>diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c >index d91ec5b..9381734 100644 >--- a/programs/pluto/plutomain.c >+++ b/programs/pluto/plutomain.c >@@ -441,23 +441,6 @@ int main(int argc, char **argv) > leak_detective = FALSE; > #endif > >-#ifdef HAVE_LIBCAP_NG >- /* >- * Drop capabilities - this generates a false positive valgrind warning >- * See: http://marc.info/?l=linux-security-module&m=125895232029657 >- */ >- capng_clear(CAPNG_SELECT_BOTH); >- >- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, >- CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, >- CAP_IPC_LOCK, CAP_AUDIT_WRITE, >- CAP_SETGID, CAP_SETUID, /* for google authenticator pam */ >- -1); >- /* our children must be able to CAP_NET_ADMIN to change routes. >- */ >- capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */ >- capng_apply(CAPNG_SELECT_BOTH); >-#endif > > libreswan_passert_fail = passert_fail; > >@@ -1029,6 +1012,27 @@ int main(int argc, char **argv) > } > } > >+#ifdef HAVE_LIBCAP_NG >+ /* >+ * Drop capabilities - this generates a false positive valgrind warning >+ * See: http://marc.info/?l=linux-security-module&m=125895232029657 >+ * >+ * We drop these after creating the pluto socket or else we can't create >+ * a socket if the parent dir is non-root >+ */ >+ capng_clear(CAPNG_SELECT_BOTH); >+ >+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, >+ CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, >+ CAP_IPC_LOCK, CAP_AUDIT_WRITE, >+ CAP_SETGID, CAP_SETUID, /* for google authenticator pam */ >+ -1); >+ /* our children must be able to CAP_NET_ADMIN to change routes. >+ */ >+ capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */ >+ capng_apply(CAPNG_SELECT_BOTH); >+#endif >+ > /* If not suppressed, do daemon fork */ > > if (fork_desired) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=879075">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1039346
:
878709
| 879075