* Fixed lowering privileges in proc ipforward method.

* Fixed "(no) ipv6 forwarding" command logic. * Added --disable-capabilities switch to configure.
2004-04-06 11:59:00 +00:00 · 2004-04-06 11:59:00 +00:00 · 41d3fc9695
parent 4991f6ca30
commit 41d3fc9695
4 changed files with 68 additions and 33 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
 2004-04-06 Hasso Tepper <hasso@estpak.ee>
 	* zebra/ipforward_proc.c: Fixed lowering privileges.
 	* zebra/zserv.c: Fixed "(no) ipv6 forwarding" command logic.
 	* configure.ac: Added --disable-capabilities switch to configure.
 2004-03-22 Hasso Tepper <hasso@estpak.ee>
 	* Readded SIGTERM handling so daemons can clean up their stuff if they
--- a/configure.ac
+++ b/configure.ac
@ -124,6 +124,8 @@ AC_ARG_ENABLE(logfile_mask,
 AC_ARG_ENABLE(rtadv,
 [  --disable-rtadv         disable IPV6 router advertisement feature])
 AC_ARG_ENABLE(capabilities,
 [  --disable-capabilities        disable using POSIX capabilities])
 if test "${enable_broken_aliases}" = "yes"; then
  if test "${enable_netlink}" = "yes"
@ -970,6 +972,7 @@ AC_TRY_COMPILE([#include <sys/resource.h>
 dnl -------------------
 dnl capabilities checks
 dnl -------------------
 if test "${enable_capabilities}" != "no"; then
  AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available)
  AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);],
    [AC_MSG_RESULT(yes)
@ -987,6 +990,7 @@ if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then
      ]
    )
  fi
 fi
 AC_SUBST(LIBCAP)
 dnl ---------------------------
--- a/zebra/ipforward_proc.c
+++ b/zebra/ipforward_proc.c
@ -81,16 +81,19 @@ ipforward_on ()
  fp = fopen (proc_ipv4_forwarding, "w");
  if (fp == NULL) {
    if ( zserv_privs.change(ZPRIVS_LOWER) )
      zlog_err ("Can't lower privileges, %s", strerror (errno));
  if (fp == NULL)
    return -1;
  }
  fprintf (fp, "1\n");
  fclose (fp);
  if ( zserv_privs.change(ZPRIVS_LOWER) )
    zlog_err ("Can't lower privileges, %s", strerror (errno));
  return ipforward ();
 }
@ -104,17 +107,19 @@ ipforward_off ()
  fp = fopen (proc_ipv4_forwarding, "w");
  if (fp == NULL) {
    if ( zserv_privs.change(ZPRIVS_LOWER) )
      zlog_err ("Can't lower privileges, %s", strerror (errno));
  if (fp == NULL)
    return -1;
  }
  fprintf (fp, "0\n");
  fclose (fp);
  if ( zserv_privs.change(ZPRIVS_LOWER) )
    zlog_err ("Can't lower privileges, %s", strerror (errno));
  return ipforward ();
 }
 #ifdef HAVE_IPV6
@ -149,16 +154,19 @@ ipforward_ipv6_on ()
  fp = fopen (proc_ipv6_forwarding, "w");
  if (fp == NULL) {
    if ( zserv_privs.change(ZPRIVS_LOWER) )
      zlog_err ("Can't lower privileges, %s", strerror (errno));
  if (fp == NULL)
    return -1;
  }
  fprintf (fp, "1\n");
  fclose (fp);
  if ( zserv_privs.change(ZPRIVS_LOWER) )
    zlog_err ("Can't lower privileges, %s", strerror (errno));
  return ipforward_ipv6 ();
 }
@ -172,16 +180,19 @@ ipforward_ipv6_off ()
  fp = fopen (proc_ipv6_forwarding, "w");
  if (fp == NULL) {
    if ( zserv_privs.change(ZPRIVS_LOWER) )
      zlog_err ("Can't lower privileges, %s", strerror (errno));
  if (fp == NULL)
    return -1;
  }
  fprintf (fp, "0\n");
  fclose (fp);
  if ( zserv_privs.change(ZPRIVS_LOWER) )
    zlog_err ("Can't lower privileges, %s", strerror (errno));
  return ipforward_ipv6 ();
 }
 #endif /* HAVE_IPV6 */
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@ -1919,8 +1919,15 @@ DEFUN (ipv6_forwarding,
 {
  int ret;
-  ret = ipforward_ipv6_on ();
+  ret = ipforward_ipv6 ();
  if (ret != 0)
    {
      vty_out (vty, "IPv6 forwarding is already on%s", VTY_NEWLINE);
      return CMD_ERR_NOTHING_TODO;
    }
  ret = ipforward_ipv6_on ();
  if (ret == 0)
    {
      vty_out (vty, "Can't turn on IPv6 forwarding%s", VTY_NEWLINE);
      return CMD_WARNING;
@ -1938,6 +1945,13 @@ DEFUN (no_ipv6_forwarding,
 {
  int ret;
  ret = ipforward_ipv6 ();
  if (ret == 0)
    {
      vty_out (vty, "IP forwarding is already off%s", VTY_NEWLINE);
      return CMD_ERR_NOTHING_TODO;
    }
  ret = ipforward_ipv6_off ();
  if (ret != 0)
    {