diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2020-04-05 19:31:19 -0700 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2020-04-05 19:31:19 -0700 |
commit | cbca9abc73acf779a3110baa0d3c66960951b1fa (patch) | |
tree | 1c721f40fcfd9144169798fa5bb7ea15def12e2f /progs | |
parent | ad120c13941d6a88d81f18bac480bfac5d7ff972 (diff) | |
download | libcap2-cbca9abc73acf779a3110baa0d3c66960951b1fa.tar.gz |
Support overriding the preferred shell for capsh.
Either supply --shell=/xx/yy as an argument to capsh, or
use the Make.Rules CAPSH_SHELL override when building.
This is an adaptation of an idea from Rosen Penev.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'progs')
-rw-r--r-- | progs/Makefile | 2 | ||||
-rw-r--r-- | progs/capsh.c | 20 |
2 files changed, 15 insertions, 7 deletions
diff --git a/progs/Makefile b/progs/Makefile index 4c24f16..076e44f 100644 --- a/progs/Makefile +++ b/progs/Makefile @@ -23,7 +23,7 @@ $(BUILD): %: %.o $(DEPS) $(CC) $(CFLAGS) -o $@ $< $(LIBCAPLIB) $(LDFLAGS) %.o: %.c $(INCS) - $(CC) $(IPATH) $(CFLAGS) -c $< -o $@ + $(CC) $(IPATH) $(CAPSH_SHELL) $(CFLAGS) -c $< -o $@ install: all mkdir -p -m 0755 $(FAKEROOT)$(SBINDIR) diff --git a/progs/capsh.c b/progs/capsh.c index 1ebd0bf..3ffd56d 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -1,9 +1,9 @@ /* * Copyright (c) 2008-11,16,19,2020 Andrew G. Morgan <morgan@kernel.org> * - * This is a simple 'bash' wrapper program that can be used to - * raise and lower both the bset and pI capabilities before invoking - * /bin/bash (hardcoded right now). + * This is a simple 'bash' (-DSHELL) wrapper program that can be used + * to raise and lower both the bset and pI capabilities before + * invoking /bin/bash. * * The --print option can be used as a quick test whether various * capability manipulations work as expected (or not). @@ -25,6 +25,10 @@ #include <sys/wait.h> #include <unistd.h> +#ifndef SHELL +#define SHELL "/bin/bash" +#endif /* ndef SHELL */ + #define MAX_GROUPS 100 /* max number of supplementary groups for user */ static char *binary(unsigned long value) @@ -322,6 +326,7 @@ int main(int argc, char *argv[], char *envp[]) { pid_t child; unsigned i; + const char *shell = SHELL; child = 0; @@ -775,11 +780,13 @@ int main(int argc, char *argv[], char *envp[]) } else if (!strcmp("--print", argv[i])) { arg_print(); } else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) { - argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]); + argv[i] = strdup(argv[i][0] == '-' ? shell : argv[0]); argv[argc] = NULL; execve(argv[i], argv+i, envp); - fprintf(stderr, "execve /bin/bash failed!\n"); + fprintf(stderr, "execve '%s' failed!\n", shell); exit(1); + } else if (!strncmp("--shell=", argv[i], 8)) { + shell = argv[i]+8; } else if (!strncmp("--has-p=", argv[i], 8)) { cap_value_t cap; cap_flag_value_t enabled; @@ -887,8 +894,9 @@ int main(int argc, char *argv[], char *envp[]) " --inmode=<xxx> exit 1 if current mode is not <xxx>\n" " --killit=<n> send signal(n) to child\n" " --forkfor=<n> fork and make child sleep for <n> sec\n" + " --shell=/xx/yy use /xx/yy instead of " SHELL " for --\n" " == re-exec(capsh) with args as for --\n" - " -- remaing arguments are for /bin/bash\n" + " -- remaing arguments are for " SHELL "\n" " (without -- [%s] will simply exit(0))\n", argv[0], argv[0]); |