faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sys_linux: keep CAP_NET_BIND_SERVICE only if NTP port can be opened

Browse source 
If port is set to 0 in the config file, the server port cannot be opened
and there is no point in keeping the binding capability.
This commit is contained in:
Miroslav Lichvar 2015-12-10 14:26:16 +01:00
parent 30f2a2003c
commit 0a10df1cf5
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
sys_linux.c
View file

@ -403,6 +403,7 @@ SYS_Linux_Finalise(void)
void void
SYS_Linux_DropRoot(uid_t uid, gid_t gid) SYS_Linux_DropRoot(uid_t uid, gid_t gid)
{ {
const char *cap_text;
cap_t cap; cap_t cap;
if (prctl(PR_SET_KEEPCAPS, 1)) { if (prctl(PR_SET_KEEPCAPS, 1)) {
@ -411,7 +412,11 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid)
UTI_DropRoot(uid, gid); UTI_DropRoot(uid, gid);
if ((cap = cap_from_text("cap_net_bind_service,cap_sys_time=ep")) == NULL) { /* Keep CAP_NET_BIND_SERVICE only if NTP port can be opened */
cap_text = CNF_GetNTPPort() ?
"cap_net_bind_service,cap_sys_time=ep" : "cap_sys_time=ep";
if ((cap = cap_from_text(cap_text)) == NULL) {
LOG_FATAL(LOGF_SysLinux, "cap_from_text() failed"); LOG_FATAL(LOGF_SysLinux, "cap_from_text() failed");
} }