diff options
Diffstat (limited to 'thirdparty/libwebsockets/lib/plat/unix/unix-caps.c')
| -rw-r--r-- | thirdparty/libwebsockets/lib/plat/unix/unix-caps.c | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/thirdparty/libwebsockets/lib/plat/unix/unix-caps.c b/thirdparty/libwebsockets/lib/plat/unix/unix-caps.c new file mode 100644 index 0000000000..64aea61816 --- /dev/null +++ b/thirdparty/libwebsockets/lib/plat/unix/unix-caps.c @@ -0,0 +1,85 @@ +/* + * libwebsockets - small server side websockets and web server implementation + * + * Copyright (C) 2010-2018 Andy Green <andy@warmcat.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation: + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ + +#define _GNU_SOURCE +#include "core/private.h" + +#include <pwd.h> +#include <grp.h> + +#if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP) +static void +_lws_plat_apply_caps(int mode, const cap_value_t *cv, int count) +{ + cap_t caps; + + if (!count) + return; + + caps = cap_get_proc(); + + cap_set_flag(caps, mode, count, cv, CAP_SET); + cap_set_proc(caps); + prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); + cap_free(caps); +} +#endif + +void +lws_plat_drop_app_privileges(const struct lws_context_creation_info *info) +{ + if (info->gid && info->gid != -1) + if (setgid(info->gid)) + lwsl_warn("setgid: %s\n", strerror(LWS_ERRNO)); + + if (info->uid && info->uid != -1) { + struct passwd *p = getpwuid(info->uid); + + if (p) { + +#if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP) + _lws_plat_apply_caps(CAP_PERMITTED, info->caps, + info->count_caps); +#endif + + initgroups(p->pw_name, info->gid); + if (setuid(info->uid)) + lwsl_warn("setuid: %s\n", strerror(LWS_ERRNO)); + else + lwsl_notice("Set privs to user '%s'\n", + p->pw_name); + +#if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP) + _lws_plat_apply_caps(CAP_EFFECTIVE, info->caps, + info->count_caps); + + if (info->count_caps) { + int n; + for (n = 0; n < info->count_caps; n++) + lwsl_notice(" RETAINING CAP %d\n", + (int)info->caps[n]); + } +#endif + + } else + lwsl_warn("getpwuid: unable to find uid %d", info->uid); + } +} |