-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow rngd process to drop privileges
Add a command line option '-D user:group' or '--drop-privileges=user:group' to drop rngd process privileges after all privileged operations were done. A user:group tuple can have a user or group name or numeric id. A presence of a user or group with a given numeric id in a system is verified. A real and effective user and group ids of rngd process are set to ones specified. A supplemental group list is also reset to contain one specified group id only. A paranoid check is made that rngd process has desired credentials and cannot switch them back. The CAP_SYS_ADMIN capability is set after dropping privileges to allow privileged ioctl() operations on the /dev/random device.
- Loading branch information
Showing
5 changed files
with
186 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters