Skip to content

dnsdist: Keep retained capabilities even when switching user/group #11761

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 5, 2022
Merged

dnsdist: Keep retained capabilities even when switching user/group #11761

merged 1 commit into from
Jul 5, 2022

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Jul 5, 2022

Short description

On Linux, we support retaining some capabilities if we are running as root (eeew) or as an unprivileged user with ambient capabilities, but we did not yet support keeping these if we were started as root but then switched to a different user ID and/or group ID.
This commit uses PR_SET_KEEPCAPS, when available, to do just that, to be able to retain the capabilities we need without running as a fully privileged users even when we cannot easily use ambient capabilities.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne
dnsdist: Keep retained capabilities even when switching user/group
ab083b9 
On Linux, we support retaining some capabilities if we are running
as root (eeew) or as an unprivileged user with ambiant capabilities,
but we did not yet support keeping these if we were started as root
but then switched to a different user ID and/or group ID.
This commit uses `PR_SET_KEEPCAPS`, when available, to do just that,
to be able to retain the capabilities we need without running as a
fully privileged users even when we cannot easily use ambiant
capabilities.
@rgacogne rgacogne added this to the dnsdist-1.8.0 milestone Jul 5, 2022
Habbie
Habbie reviewed Jul 5, 2022
View reviewed changes
@rgacogne rgacogne merged commit 32924d8 into PowerDNS:master Jul 5, 2022
@rgacogne rgacogne deleted the ddist-keep-caps-on-user-switch branch July 5, 2022 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Habbie Habbie Habbie approved these changes

Assignees
No one assigned
Labels
dnsdist enhancement
Projects
None yet
Milestone
dnsdist-1.8.0
Development

Successfully merging this pull request may close these issues.
2 participants
@rgacogne @Habbie