Remove libcap/prctl artifacts

They seem like relics of the pasts, from when we were retaining the
ptrace cap.

Some translations still may need updates.
master
Arkadiusz Hiler 6 years ago
parent 98b524abd7
commit 00dfb76832

@ -42,7 +42,6 @@ pango = dependency('pango')
pangocairo = dependency('pangocairo') pangocairo = dependency('pangocairo')
gdk_pixbuf = dependency('gdk-pixbuf-2.0', required: false) gdk_pixbuf = dependency('gdk-pixbuf-2.0', required: false)
pixman = dependency('pixman-1') pixman = dependency('pixman-1')
libcap = dependency('libcap', required: false)
libinput = dependency('libinput', version: '>=1.6.0') libinput = dependency('libinput', version: '>=1.6.0')
libpam = cc.find_library('pam', required: false) libpam = cc.find_library('pam', required: false)
systemd = dependency('libsystemd', required: false) systemd = dependency('libsystemd', required: false)

@ -12,10 +12,6 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/un.h> #include <sys/un.h>
#include <unistd.h> #include <unistd.h>
#ifdef __linux__
#include <sys/capability.h>
#include <sys/prctl.h>
#endif
#include <wlr/util/log.h> #include <wlr/util/log.h>
#include "sway/commands.h" #include "sway/commands.h"
#include "sway/config.h" #include "sway/config.h"
@ -181,28 +177,8 @@ static void log_kernel() {
pclose(f); pclose(f);
} }
static void executable_sanity_check() {
#ifdef __linux__
struct stat sb;
char *exe = realpath("/proc/self/exe", NULL);
stat(exe, &sb);
// We assume that cap_get_file returning NULL implies ENODATA
if (sb.st_mode & (S_ISUID|S_ISGID) && cap_get_file(exe)) {
wlr_log(WLR_ERROR,
"sway executable has both the s(g)uid bit AND file caps set.");
wlr_log(WLR_ERROR,
"This is strongly discouraged (and completely broken).");
wlr_log(WLR_ERROR,
"Please clear one of them (either the suid bit, or the file caps).");
wlr_log(WLR_ERROR,
"If unsure, strip the file caps.");
exit(EXIT_FAILURE);
}
free(exe);
#endif
}
static void drop_permissions(bool keep_caps) { static void drop_permissions(void) {
if (getuid() != geteuid() || getgid() != getegid()) { if (getuid() != geteuid() || getgid() != getegid()) {
if (setgid(getgid()) != 0) { if (setgid(getgid()) != 0) {
wlr_log(WLR_ERROR, "Unable to drop root"); wlr_log(WLR_ERROR, "Unable to drop root");
@ -217,20 +193,6 @@ static void drop_permissions(bool keep_caps) {
wlr_log(WLR_ERROR, "Root privileges can be restored."); wlr_log(WLR_ERROR, "Root privileges can be restored.");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#ifdef __linux__
if (keep_caps) {
// Drop every cap except CAP_SYS_PTRACE
cap_t caps = cap_init();
cap_value_t keep = CAP_SYS_PTRACE;
wlr_log(WLR_INFO, "Dropping extra capabilities");
if (cap_set_flag(caps, CAP_PERMITTED, 1, &keep, CAP_SET) ||
cap_set_flag(caps, CAP_EFFECTIVE, 1, &keep, CAP_SET) ||
cap_set_proc(caps)) {
wlr_log(WLR_ERROR, "Failed to drop extra capabilities");
exit(EXIT_FAILURE);
}
}
#endif
} }
void enable_debug_flag(const char *flag) { void enable_debug_flag(const char *flag) {
@ -347,7 +309,7 @@ int main(int argc, char **argv) {
wlr_log(WLR_ERROR, "Don't use options with the IPC client"); wlr_log(WLR_ERROR, "Don't use options with the IPC client");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
drop_permissions(false); drop_permissions();
char *socket_path = getenv("SWAYSOCK"); char *socket_path = getenv("SWAYSOCK");
if (!socket_path) { if (!socket_path) {
wlr_log(WLR_ERROR, "Unable to retrieve socket path"); wlr_log(WLR_ERROR, "Unable to retrieve socket path");
@ -358,34 +320,17 @@ int main(int argc, char **argv) {
return 0; return 0;
} }
executable_sanity_check();
bool suid = false;
if (!server_privileged_prepare(&server)) { if (!server_privileged_prepare(&server)) {
return 1; return 1;
} }
#if defined(__linux__) || defined(__FreeBSD__)
if (getuid() != geteuid() || getgid() != getegid()) {
#ifdef __linux__
// Retain capabilities after setuid()
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
wlr_log(WLR_ERROR, "Cannot keep caps after setuid()");
exit(EXIT_FAILURE);
}
#endif
suid = true;
}
#endif
log_kernel(); log_kernel();
log_distro(); log_distro();
detect_proprietary(); detect_proprietary();
detect_raspi(); detect_raspi();
#if defined(__linux__) || defined(__FreeBSD__) drop_permissions();
drop_permissions(suid);
#endif
// handle SIGTERM signals // handle SIGTERM signals
signal(SIGTERM, sig_handler); signal(SIGTERM, sig_handler);

@ -164,7 +164,6 @@ sway_deps = [
cairo, cairo,
gdk_pixbuf, gdk_pixbuf,
jsonc, jsonc,
libcap,
libinput, libinput,
math, math,
pango, pango,

Loading…
Cancel
Save