diff options
author | David Carlier <devnexen@gmail.com> | 2019-07-12 14:26:19 +0000 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2019-09-28 00:31:29 -0700 |
commit | 480fc665c3505336c37afb242e3412c75b3ac30c (patch) | |
tree | 25783fd1f225aaa68329ee1e241482732734424b /freebsd_priv.c | |
parent | d3f15bb439cb5ab520438b40abaa7600cb39736b (diff) | |
download | memcached-480fc665c3505336c37afb242e3412c75b3ac30c.tar.gz |
drop privileges, FreeBSD.
Expand on sandboxing support, assuming memcached
does not support end of life versions (available
since FreeBSD 10.x ~2014).
Diffstat (limited to 'freebsd_priv.c')
-rw-r--r-- | freebsd_priv.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/freebsd_priv.c b/freebsd_priv.c index f252682..5d9fa57 100644 --- a/freebsd_priv.c +++ b/freebsd_priv.c @@ -11,6 +11,33 @@ * in FreeBSD vocabulary. */ void drop_privileges() { + cap_rights_t wd, rd; + + if (cap_rights_init(&wd, CAP_WRITE, CAP_READ) == NULL) { + fprintf(stderr, "cap_rights_init write protection failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + + if (cap_rights_init(&rd, CAP_FCNTL, CAP_READ, CAP_EVENT) == NULL) { + fprintf(stderr, "cap_rights_init read protection failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + + if (cap_rights_limit(STDIN_FILENO, &rd) != 0) { + fprintf(stderr, "cap_rights_limit stdin failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + + if (cap_rights_limit(STDOUT_FILENO, &wd) != 0) { + fprintf(stderr, "cap_rights_limit stdout failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + + if (cap_rights_limit(STDERR_FILENO, &wd) != 0) { + fprintf(stderr, "cap_rights_limit stderr failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + if (cap_enter() != 0) { fprintf(stderr, "cap_enter failed: %s\n", strerror(errno)); exit(EXIT_FAILURE); |