--- /dev/null
+AC_DEFUN([PDNS_WITH_LIBCAP], [
+ AC_MSG_CHECKING([whether we will be linking in libcap])
+ HAVE_LIBCAPS=0
+ AC_ARG_WITH([libcap],
+ AS_HELP_STRING([--with-libcap],[use libcap @<:@default=auto@:>@]),
+ [with_libcap=$withval],
+ [with_libcap=auto],
+ )
+ AC_MSG_RESULT([$with_libcap])
+
+ AS_IF([test "x$with_libcap" != "xno"], [
+ AS_IF([test "x$with_libcap" = "xyes" -o "x$with_libcap" = "xauto"], [
+ PKG_CHECK_MODULES([LIBCAP], [libcap] , [
+ [HAVE_LIBCAP=1]
+ AC_DEFINE([HAVE_LIBCAP], [1], [Define to 1 if you have libcap])
+ ], [ : ])
+ ])
+ ])
+ AM_CONDITIONAL([HAVE_LIBCAP], [test "x$LIBCAP_LIBS" != "x"])
+ AS_IF([test "x$with_libcap" = "xyes"], [
+ AS_IF([test x"$LIBCAP_LIBS" = "x"], [
+ AC_MSG_ERROR([libcap requested but libraries were not found])
+ ])
+ ])
+])
dropGroupPrivs(newgid);
dropUserPrivs(newuid);
+ try {
+ /* we might still have capabilities remaining,
+ for example if we have been started as root
+ without --uid or --gid (please don't do that)
+ or as an unprivileged user with ambient
+ capabilities like CAP_NET_BIND_SERVICE.
+ */
+ dropCapabilities();
+ }
+ catch(const std::exception& e) {
+ warnlog("%s", e.what());
+ }
/* this need to be done _after_ dropping privileges */
g_delay = new DelayPipe<DelayedPacket>();
-AM_CPPFLAGS += $(SYSTEMD_CFLAGS) $(LUA_CFLAGS) $(LIBEDIT_CFLAGS) $(LIBSODIUM_CFLAGS) $(FSTRM_CFLAGS) $(YAHTTP_CFLAGS) $(SANITIZER_FLAGS) $(NET_SNMP_CFLAGS) -DSYSCONFDIR=\"${sysconfdir}\"
+AM_CPPFLAGS += $(SYSTEMD_CFLAGS) $(LUA_CFLAGS) $(LIBEDIT_CFLAGS) $(LIBSODIUM_CFLAGS) $(FSTRM_CFLAGS) $(YAHTTP_CFLAGS) $(SANITIZER_FLAGS) $(NET_SNMP_CFLAGS) $(LIBCAP_CFLAGS) -DSYSCONFDIR=\"${sysconfdir}\"
ACLOCAL_AMFLAGS = -I m4
$(FSTRM_LIBS) \
$(SANITIZER_FLAGS) \
$(SYSTEMD_LIBS) \
- $(NET_SNMP_LIBS)
+ $(NET_SNMP_LIBS) \
+ $(LIBCAP_LIBS)
if HAVE_RE2
dnsdist_LDADD += $(RE2_LIBS)
$(LIBSODIUM_LIBS) \
$(FSTRM_LIBS) \
$(RT_LIBS) \
- $(SANITIZER_FLAGS)
+ $(SANITIZER_FLAGS) \
+ $(LIBCAP_LIBS)
MANPAGES=dnsdist.1
DNSDIST_ENABLE_DNSCRYPT
PDNS_WITH_EBPF
PDNS_WITH_NET_SNMP
+PDNS_WITH_LIBCAP
AX_AVAILABLE_SYSTEMD
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
--- /dev/null
+../../../m4/pdns_with_libcap.m4
\ No newline at end of file
# include <sched.h>
#endif
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+
bool g_singleThreaded;
size_t writen2(int fd, const void *buf, size_t count)
return results;
}
+
+void dropCapabilities()
+{
+#ifdef HAVE_LIBCAP
+ cap_t caps = cap_get_proc();
+ if (caps != nullptr) {
+ cap_clear(caps);
+
+ if (cap_set_proc(caps) != 0) {
+ cap_free(caps);
+ throw std::runtime_error("Unable to drop capabilities: " + std::string(strerror(errno)));
+ }
+
+ cap_free(caps);
+ }
+#endif /* HAVE_LIBCAP */
+}
double DiffTime(const struct timeval& first, const struct timeval& second);
uid_t strToUID(const string &str);
gid_t strToGID(const string &str);
+void dropCapabilities();
unsigned int pdns_stou(const std::string& str, size_t * idx = 0, int base = 10);
projects / pdns / commitdiff