diff options
author | David CARLIER <devnexen@gmail.com> | 2021-02-21 17:52:52 +0000 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2022-08-25 20:35:04 -0700 |
commit | 8f478cdaf50c1467fc2191ac1c3a8e85ec2efcff (patch) | |
tree | 5197b5a3ffec2625e8417d3b95f8b08a9b5ada5b | |
parent | ed110bb0db938810d8fdb9d4e4b2fef9ab0bf5ac (diff) | |
download | memcached-8f478cdaf50c1467fc2191ac1c3a8e85ec2efcff.tar.gz |
MacOS drop privileges support
-rw-r--r-- | Makefile.am | 4 | ||||
-rw-r--r-- | configure.ac | 10 | ||||
-rw-r--r-- | darwin_priv.c | 28 |
3 files changed, 42 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 049ba5f..2910b46 100644 --- a/Makefile.am +++ b/Makefile.am @@ -47,6 +47,10 @@ if BUILD_FREEBSD_PRIVS memcached_SOURCES += freebsd_priv.c endif +if BUILD_DARWIN_PRIVS +memcached_SOURCES += darwin_priv.c +endif + if ENABLE_SASL memcached_SOURCES += sasl_defs.c endif diff --git a/configure.ac b/configure.ac index 34a457b..ba162cb 100644 --- a/configure.ac +++ b/configure.ac @@ -803,11 +803,21 @@ AC_CHECK_FUNCS(cap_enter, [ ], []) ],[]) +AC_CHECK_FUNCS(sandbox_init, [ + AC_CHECK_HEADER(sandbox.h, [ + AC_DEFINE([HAVE_DROP_PRIVILEGES], 1, + [Define this if you have an implementation of drop_privileges()]) + build_darwin_privs=yes + ], []) +],[]) + + AM_CONDITIONAL([BUILD_SOLARIS_PRIVS],[test "$build_solaris_privs" = "yes"]) AM_CONDITIONAL([BUILD_LINUX_PRIVS],[test "$build_linux_privs" = "yes"]) AM_CONDITIONAL([BUILD_OPENBSD_PRIVS],[test "$build_openbsd_privs" = "yes"]) AM_CONDITIONAL([BUILD_FREEBSD_PRIVS],[test "$build_freebsd_privs" = "yes"]) +AM_CONDITIONAL([BUILD_DARWIN_PRIVS],[test "$build_darwin_privs" = "yes"]) AC_ARG_ENABLE(docs, [AS_HELP_STRING([--disable-docs],[Disable documentation generation])]) diff --git a/darwin_priv.c b/darwin_priv.c new file mode 100644 index 0000000..411b5fa --- /dev/null +++ b/darwin_priv.c @@ -0,0 +1,28 @@ +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <sandbox.h> +#include "memcached.h" + +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wdeprecated-declarations" +/* + * the sandbox api is marked deprecated, however still used + * by couple of major softwares/libraries like openssh + */ +void drop_privileges() { + extern char *__progname; + char *error = NULL; + + if (sandbox_init(kSBXProfileNoInternet, SANDBOX_NAMED, &error) < 0) { + fprintf(stderr, "%s: sandbox_init: %s\n", __progname, error); + sandbox_free_error(error); + exit(EXIT_FAILURE); + } +} + +#pragma clang diagnostic pop + +void setup_privilege_violations_handler(void) { + // not needed +} |