Date: Sat, 14 May 2011 16:55:24 +0000 (UTC) From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r221898 - head/sbin/hastd Message-ID: <201105141655.p4EGtO34009498@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pjd Date: Sat May 14 16:55:24 2011 New Revision: 221898 URL: http://svn.freebsd.org/changeset/base/221898 Log: When using capsicum to sanbox, still use other methods first, just in case one of them have some problems. Modified: head/sbin/hastd/subr.c Modified: head/sbin/hastd/subr.c ============================================================================== --- head/sbin/hastd/subr.c Sat May 14 15:24:15 2011 (r221897) +++ head/sbin/hastd/subr.c Sat May 14 16:55:24 2011 (r221898) @@ -153,15 +153,7 @@ drop_privs(bool usecapsicum) uid_t ruid, euid, suid; gid_t rgid, egid, sgid; gid_t gidset[1]; - - if (usecapsicum) { - if (cap_enter() == 0) { - pjdlog_debug(1, - "Privileges successfully dropped using capsicum."); - return (0); - } - pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum"); - } + bool capsicum; /* * According to getpwnam(3) we have to clear errno before calling the @@ -205,6 +197,16 @@ drop_privs(bool usecapsicum) return (-1); } + capsicum = false; + if (usecapsicum) { + if (cap_enter() == 0) { + capsicum = true; + } else { + pjdlog_errno(LOG_WARNING, + "Unable to sandbox using capsicum"); + } + } + /* * Better be sure that everything succeeded. */ @@ -221,7 +223,8 @@ drop_privs(bool usecapsicum) PJDLOG_VERIFY(gidset[0] == pw->pw_gid); pjdlog_debug(1, - "Privileges successfully dropped using chroot+setgid+setuid."); + "Privileges successfully dropped using %schroot+setgid+setuid.", + capsicum ? "capsicum+" : ""); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105141655.p4EGtO34009498>