rpms/libcap-ng/devel libcap-ng-0.6.3-euid.patch, NONE, 1.1 libcap-ng-0.6.3-setpcap.patch, NONE, 1.1 libcap-ng.spec, 1.12, 1.13

Steve Grubb sgrubb at fedoraproject.org
Tue Feb 16 15:50:54 UTC 2010 

Author: sgrubb

Update of /cvs/pkgs/rpms/libcap-ng/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30046

Modified Files:
	libcap-ng.spec 
Added Files:
	libcap-ng-0.6.3-euid.patch libcap-ng-0.6.3-setpcap.patch 
Log Message:
* Tue Feb 16 2010 Steve Grubb <sgrubb at redhat.com> 0.6.2-4
- Use global macro and require pkgconfig for devel subpackage


libcap-ng-0.6.3-euid.patch:
 netcap.c |   31 ++++++++++++++++++++++++++-----
 pscap.c  |   41 +++++++++++++++++++++++++++++++++--------
 2 files changed, 59 insertions(+), 13 deletions(-)

--- NEW FILE libcap-ng-0.6.3-euid.patch ---
diff -urp libcap-ng-0.6.2/utils/netcap.c libcap-ng-0.6.3/utils/netcap.c
--- libcap-ng-0.6.2/utils/netcap.c	2009-07-26 08:16:16.000000000 -0400
+++ libcap-ng-0.6.3/utils/netcap.c	2009-10-03 08:36:30.000000000 -0400
@@ -31,7 +31,6 @@
 #include <string.h>
 #include <dirent.h>
 #include <fcntl.h>
-#include <sys/stat.h>
 #include <pwd.h>
 #include "cap-ng.h"
 #include "proc-llist.h"
@@ -56,12 +55,12 @@ static int collect_process_info(void)
 		return 1;
 	}
 	while (( ent = readdir(d) )) {
+		FILE *sf;
 		int pid, ppid;
 		capng_results_t caps;
 		char buf[100];
 		char *tmp, cmd[16], state, *text, *bounds;
-		int fd, len;
-		struct stat sb;
+		int fd, len, euid;
 
 		// Skip non-process dir entries
 		if(*ent->d_name<'0' || *ent->d_name>'9')
@@ -77,7 +76,6 @@ static int collect_process_info(void)
 		if (fd < 0)
 			continue;
 		len = read(fd, buf, sizeof buf - 1);
-		fstat(fd, &sb);
 		close(fd);
 		if (len < 40)
 			continue;
@@ -109,6 +107,29 @@ static int collect_process_info(void)
 			text = capng_print_caps_text(CAPNG_PRINT_BUFFER,
 					CAPNG_PERMITTED);
 
+		// Get the effective uid
+		snprintf(buf, 32, "/proc/%d/status", pid);
+		sf = fopen(buf, "rt");
+		if (sf == NULL)
+			euid = 0;
+		else {
+			int line = 0;
+			__fsetlocking(sf, FSETLOCKING_BYCALLER);
+			while (fgets(buf, sizeof(buf), sf)) {
+				if (line == 0) {
+					line++;
+					continue;
+				}
+				if (memcmp(buf, "Uid:", 4) == 0) {
+					int id;
+					sscanf(buf, "Uid: %d %d",
+						&id, &euid);
+					break;
+				}
+			}
+			fclose(sf);
+		}
+
 		// Now record the bounding set information
 		if (caps == CAPNG_PARTIAL) {
 			caps = capng_have_capabilities(CAPNG_SELECT_BOUNDS);
@@ -170,7 +191,7 @@ static int collect_process_info(void)
 				continue;
 			node.ppid = ppid;
 			node.pid = pid;
-			node.uid = sb.st_uid;
+			node.uid = euid;
 			node.cmd = strdup(cmd);
 			node.inode = inode;
 			node.capabilities = strdup(text);
diff -urp libcap-ng-0.6.2/utils/pscap.c libcap-ng-0.6.3/utils/pscap.c
--- libcap-ng-0.6.2/utils/pscap.c	2009-08-16 08:29:37.000000000 -0400
+++ libcap-ng-0.6.3/utils/pscap.c	2009-10-03 08:36:57.000000000 -0400
@@ -23,12 +23,12 @@
 
 #include "config.h"
 #include <stdio.h>
+#include <stdio_ext.h>
 #include <stdlib.h>
 #include <errno.h>
 #include <string.h>
 #include <dirent.h>
 #include <fcntl.h>
-#include <sys/stat.h>
 #include <pwd.h>
 #include "cap-ng.h"
 
@@ -69,11 +69,10 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 	while (( ent = readdir(d) )) {
-		int pid, ppid, uid = -1;
+		int pid, ppid, uid = -1, euid;
 		char buf[100];
 		char *tmp, cmd[16], state, *name = NULL;
 		int fd, len;
-		struct stat sb;
 		struct passwd *p;
 
 		// Skip non-process dir entries
@@ -90,7 +89,6 @@ int main(int argc, char *argv[])
 		if (fd < 0)
 			continue;
 		len = read(fd, buf, sizeof buf - 1);
-		fstat(fd, &sb);
 		close(fd);
 		if (len < 40)
 			continue;
@@ -120,20 +118,47 @@ int main(int argc, char *argv[])
 		// And print out anything with capabilities
 		caps = capng_have_capabilities(CAPNG_SELECT_CAPS);
 		if (caps > CAPNG_NONE) {
+			// Get the effective uid
+			FILE *f;
+			int line;
+			snprintf(buf, 32, "/proc/%d/status", pid);
+			f = fopen(buf, "rt");
+			if (f == NULL)
+				euid = 0;
+			else {
+				line = 0;
+				__fsetlocking(f, FSETLOCKING_BYCALLER);
+				while (fgets(buf, sizeof(buf), f)) {
+					if (line == 0) {
+						line++;
+						continue;
+					}
+					if (memcmp(buf, "Uid:", 4) == 0) {
+						int id;
+						sscanf(buf, "Uid: %d %d",
+							&id, &euid);
+						break;
+					}
+				}
+				fclose(f);
+			}
+			
+			len = read(fd, buf, sizeof buf - 1);
+			close(fd);
 			if (header == 0) {
 				printf("%-5s %-5s %-10s  %-16s  %s\n",
 				    "ppid", "pid", "name", "command",
 				    "capabilities");
 				header = 1;
 			}
-			if (sb.st_uid == 0) {
+			if (euid == 0) {
 				// Take short cut for this one
 				name = "root";
 				uid = 0;
-			} else if (uid != (int)sb.st_uid) {
+			} else if (euid != uid) {
 				// Only look up if name changed
-				p = getpwuid(sb.st_uid);
-				uid = sb.st_uid;
+				p = getpwuid(euid);
+				uid = euid;
 				if (p)
 					name = p->pw_name;
 				// If not taking this branch, use last val

libcap-ng-0.6.3-setpcap.patch:
 cap-ng.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- NEW FILE libcap-ng-0.6.3-setpcap.patch ---
diff -urp libcap-ng-0.6.2/src/cap-ng.c libcap-ng-0.6.3/src/cap-ng.c
--- libcap-ng-0.6.2/src/cap-ng.c	2009-09-23 17:31:00.000000000 -0400
+++ libcap-ng-0.6.3/src/cap-ng.c	2009-10-09 08:59:01.000000000 -0400
@@ -549,8 +549,9 @@ int capng_change_id(int uid, int gid, ca
 
 	// Check the current capabilities
 #ifdef PR_CAPBSET_DROP
-	// If newer kernel, we need setpcap
-	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP) == 0)
+	// If newer kernel, we need setpcap to change the bounding set
+	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP) == 0 && 
+					flag & CAPNG_CLEAR_BOUNDING)
 		capng_update(CAPNG_ADD,
 				CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
 #endif


Index: libcap-ng.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libcap-ng/devel/libcap-ng.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- libcap-ng.spec	28 Sep 2009 17:24:50 -0000	1.12
+++ libcap-ng.spec	16 Feb 2010 15:50:54 -0000	1.13
@@ -1,13 +1,15 @@
-%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: An alternate posix capabilities library
 Name: libcap-ng
 Version: 0.6.2
-Release: 1%{?dist}
+Release: 4%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 URL: http://people.redhat.com/sgrubb/libcap-ng
 Source0: http://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
+Patch1: libcap-ng-0.6.3-euid.patch
+Patch2: libcap-ng-0.6.3-setpcap.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: kernel-headers >= 2.6.11 
 BuildRequires: libattr-devel
@@ -21,6 +23,7 @@ License: LGPLv2+
 Group: Development/Libraries
 Requires: kernel-headers >= 2.6.11
 Requires: %{name} = %{version}-%{release}
+Requires: pkgconfig
 
 %description devel
 The libcap-ng-devel package contains the files needed for developing
@@ -49,6 +52,8 @@ lets you set the file system based capab
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure --libdir=/%{_lib}
@@ -107,6 +112,15 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_mandir}/man8/*
 
 %changelog
+* Tue Feb 16 2010 Steve Grubb <sgrubb at redhat.com> 0.6.2-4
+- Use global macro and require pkgconfig for devel subpackage
+
+* Fri Oct 09 2009 Steve Grubb <sgrubb at redhat.com> 0.6.2-3
+- Apply patch to retain setpcap only if clearing bounding set
+
+* Sat Oct 03 2009 Steve Grubb <sgrubb at redhat.com> 0.6.2-2
+- Apply patch correcting pscap and netcap acct detection
+
 * Mon Sep 28 2009 Steve Grubb <sgrubb at redhat.com> 0.6.2-1
 - New upstream release

More information about the scm-commits mailing list