agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket

author Tobias Brunner <tobias@strongswan.org>

Thu, 21 Nov 2013 16:12:21 +0000 (17:12 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 23 Jan 2014 09:08:23 +0000 (10:08 +0100)
author Tobias Brunner <tobias@strongswan.org>
Thu, 21 Nov 2013 16:12:21 +0000 (17:12 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 23 Jan 2014 09:08:23 +0000 (10:08 +0100)
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c

index f474dad..ebebde2 100644 (file)
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -22,10 +22,6 @@
  #include <daemon.h>
  #include <processing/jobs/callback_job.h>
  
-#ifndef CAP_DAC_OVERRIDE
-#define CAP_DAC_OVERRIDE 1
-#endif
-
  typedef struct nm_backend_t nm_backend_t;
  
  /**
@@ -143,14 +139,6 @@ static bool nm_backend_init()
                 return FALSE;
         }
  
-       /* bypass file permissions to read from users ssh-agent */
-       if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
-       {
-               DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
-               nm_backend_deinit();
-               return FALSE;
-       }
-
         lib->processor->queue_job(lib->processor,
                 (job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
                                 NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c

index 322ded4..dc6adc4 100644 (file)
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
  {
         private_agent_plugin_t *this;
  
+       /* required to connect to ssh-agent socket */
+       if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+       {
+               DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
+               return NULL;
+       }
+
         INIT(this,
                 .public = {
                         .plugin = {
@@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
  
         return &this->public.plugin;
  }
-
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c

index 8a3fb15..c2e82a9 100644 (file)
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
         }
         return &this->public;
  }
-
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h

index fe11a4d..20c1855 100644 (file)
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
  #ifndef CAP_NET_RAW
  # define CAP_NET_RAW 13
  #endif
+#ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE 1
+#endif
  
  /**
   * POSIX capability dropping abstraction layer.
author	Tobias Brunner <tobias@strongswan.org>
	Thu, 21 Nov 2013 16:12:21 +0000 (17:12 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 23 Jan 2014 09:08:23 +0000 (10:08 +0100)
src/charon-nm/nm/nm_backend.c		patch \| blob \| history
src/libstrongswan/plugins/agent/agent_plugin.c		patch \| blob \| history
src/libstrongswan/plugins/agent/agent_private_key.c		patch \| blob \| history
src/libstrongswan/utils/capabilities.h		patch \| blob \| history