capng.capng_fill(capng.CAPNG_SELECT_BOTH)
if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_FULL:
print("Failed filling capabilities")
sys.exit(1)
text = capng.capng_print_caps_numeric(capng.CAPNG_PRINT_BUFFER,
capng.CAPNG_SELECT_CAPS)
len = len(text)
if len < 80 and last > 30:
last = 30
print("Doing advanced bit tests for %d capabilities...\n" % (last))
for i in range(last + 1):
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
rc = capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE, i)
if rc:
print("Failed update test 1")
sys.exit(1)
rc = capng.capng_have_capability(capng.CAPNG_EFFECTIVE, int(i))
if rc <= capng.CAPNG_NONE:
print("Failed have capability test 1")
capng.capng_print_caps_numeric(capng.CAPNG_PRINT_STDOUT,
capng.CAPNG_SELECT_CAPS)
sys.exit(1)
if capng.capng_have_capabilities(
capng.CAPNG_SELECT_CAPS) != capng.CAPNG_PARTIAL:
print("Failed have capabilities test 1")
sys.exit(1)
sys.exit(1)
capng.capng_fill(capng.CAPNG_SELECT_BOTH)
if capng.capng_have_capabilities(capng.CAPNG_SELECT_BOTH) != capng.CAPNG_FULL:
print("Failed filling capabilities")
sys.exit(1)
text = capng.capng_print_caps_numeric(capng.CAPNG_PRINT_BUFFER, capng.CAPNG_SELECT_CAPS)
len = len(text)
if len < 80 and last > 30:
last = 30
print("Doing advanced bit tests for %d capabilities...\n" % (last))
for i in range(last+1):
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
rc = capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE, i)
if rc:
print("Failed update test 1")
sys.exit(1)
rc = capng.capng_have_capability(capng.CAPNG_EFFECTIVE, int(i))
if rc <= capng.CAPNG_NONE:
print("Failed have capability test 1")
capng.capng_print_caps_numeric(capng.CAPNG_PRINT_STDOUT, capng.CAPNG_SELECT_CAPS)
sys.exit(1)
if capng.capng_have_capabilities(capng.CAPNG_SELECT_CAPS) != capng.CAPNG_PARTIAL:
print("Failed have capabilities test 1")
sys.exit(1)
capng.capng_fill(capng.CAPNG_SELECT_BOTH)
#---------------------------------------------------------------------------#
# drop root privileges retaining capability CAP_NET_BIND_SERVICE
#---------------------------------------------------------------------------#
def getsgroups(gid):
grnam = grp.getgrgid(gid).gr_name
sgroups = []
groups = grp.getgrall()
for group in groups:
if grnam in group.gr_mem:
sgroups.append(grp.getgrnam(group.gr_name).gr_gid)
return sgroups
try:
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_NET_BIND_SERVICE)
if config.sgroups:
sgroups = getsgroups(config.gid)
if sgroups:
os.setgroups(sgroups)
capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING)
else:
capng.capng_change_id(config.uid, config.gid, capng.CAPNG_CLEAR_BOUNDING|capng.CAPNG_DROP_SUPP_GRP)
logger.debug("Changed uid/gid to %d:%d." % (config.uid, config.gid))
except OSError:
logger.critical("Cannot change uid/gid to %d:%d. Nonexistent uid/gid or insufficient privileges." % (config.uid, config.gid))
os._exit(1)
#---------------------------------------------------------------------------#
# signal handler
#---------------------------------------------------------------------------#
def getsgroups(gid):
grnam = grp.getgrgid(gid).gr_name
sgroups = []
groups = grp.getgrall()
for group in groups:
if grnam in group.gr_mem:
sgroups.append(grp.getgrnam(group.gr_name).gr_gid)
return sgroups
try:
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
capng.capng_update(capng.CAPNG_ADD,
capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED,
capng.CAP_NET_BIND_SERVICE)
if config.sgroups:
sgroups = getsgroups(config.gid)
if sgroups:
os.setgroups(sgroups)
capng.capng_change_id(config.uid, config.gid,
capng.CAPNG_CLEAR_BOUNDING)
else:
capng.capng_change_id(
config.uid, config.gid,
capng.CAPNG_CLEAR_BOUNDING | capng.CAPNG_DROP_SUPP_GRP)
logger.debug("Changed uid/gid to %d:%d." % (config.uid, config.gid))
except OSError:
logger.critical(
"Cannot change uid/gid to %d:%d. Nonexistent uid/gid or insufficient privileges."
