capng.capng_fill(capng.CAPNG_SELECT_BOTH) if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_FULL: print("Failed filling capabilities") sys.exit(1) text = capng.capng_print_caps_numeric(capng.CAPNG_PRINT_BUFFER, capng.CAPNG_SELECT_CAPS) len = len(text) if len < 80 and last > 30: last = 30 print("Doing advanced bit tests for %d capabilities...\n" % (last)) for i in range(last + 1): capng.capng_clear(capng.CAPNG_SELECT_BOTH) rc = capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE, i) if rc: print("Failed update test 1") sys.exit(1) rc = capng.capng_have_capability(capng.CAPNG_EFFECTIVE, int(i)) if rc <= capng.CAPNG_NONE: print("Failed have capability test 1") capng.capng_print_caps_numeric(capng.CAPNG_PRINT_STDOUT, capng.CAPNG_SELECT_CAPS) sys.exit(1) if capng.capng_have_capabilities( capng.CAPNG_SELECT_CAPS) != capng.CAPNG_PARTIAL: print("Failed have capabilities test 1") sys.exit(1)
sys.exit(1) capng.capng_fill(capng.CAPNG_SELECT_BOTH) if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_FULL: print("Failed filling capabilities") sys.exit(1) text = capng.capng_print_caps_numeric(capng.CAPNG_PRINT_BUFFER, capng.CAPNG_SELECT_CAPS) len = len(text) if len < 80 and last > 30: last = 30 print("Doing advanced bit tests for %d capabilities...\n" % (last)) for i in range(last+1): capng.capng_clear(capng.CAPNG_SELECT_BOTH) rc = capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE, i) if rc: print("Failed update test 1") sys.exit(1) rc = capng.capng_have_capability(capng.CAPNG_EFFECTIVE, int(i)) if rc <= capng.CAPNG_NONE: print("Failed have capability test 1") capng.capng_print_caps_numeric(capng.CAPNG_PRINT_STDOUT, capng.CAPNG_SELECT_CAPS) sys.exit(1) if capng.capng_have_capabilities(capng.CAPNG_SELECT_CAPS) != capng.CAPNG_PARTIAL: print("Failed have capabilities test 1") sys.exit(1) capng.capng_fill(capng.CAPNG_SELECT_BOTH)
#---------------------------------------------------------------------------# # drop root privileges retaining capability CAP_NET_BIND_SERVICE #---------------------------------------------------------------------------# def getsgroups(gid): grnam = grp.getgrgid(gid).gr_name sgroups = [] groups = grp.getgrall() for group in groups: if grnam in group.gr_mem: sgroups.append(grp.getgrnam(group.gr_name).gr_gid) return sgroups try: capng.capng_clear(capng.CAPNG_SELECT_BOTH) capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_NET_BIND_SERVICE) if config.sgroups: sgroups = getsgroups(config.gid) if sgroups: os.setgroups(sgroups) capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING) else: capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING|capng.CAPNG_DROP_SUPP_GRP) logger.debug("Changed uid/gid to %d:%d." % (config.uid, config.gid)) except OSError: logger.critical("Cannot change uid/gid to %d:%d. Nonexistent uid/gid or insufficient privileges." % (config.uid, config.gid)) os._exit(1) #---------------------------------------------------------------------------# # signal handler #---------------------------------------------------------------------------#
def getsgroups(gid): grnam = grp.getgrgid(gid).gr_name sgroups = [] groups = grp.getgrall() for group in groups: if grnam in group.gr_mem: sgroups.append(grp.getgrnam(group.gr_name).gr_gid) return sgroups try: capng.capng_clear(capng.CAPNG_SELECT_BOTH) capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED, capng.CAP_NET_BIND_SERVICE) if config.sgroups: sgroups = getsgroups(config.gid) if sgroups: os.setgroups(sgroups) capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING) else: capng.capng_change_id( config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING | capng.CAPNG_DROP_SUPP_GRP) logger.debug("Changed uid/gid to %d:%d." % (config.uid, config.gid)) except OSError: logger.critical( "Cannot change uid/gid to %d:%d. Nonexistent uid/gid or insufficient privileges."