diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2018-09-24 15:11:14 +0200 |
commit | e0e280b7669435b991b7e457abd8aa450930b3e8 (patch) | |
tree | 3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libstrongswan/networking | |
parent | 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff) | |
download | vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip |
New upstream version 5.7.0
Diffstat (limited to 'src/libstrongswan/networking')
-rw-r--r-- | src/libstrongswan/networking/streams/stream_service_unix.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/libstrongswan/networking/streams/stream_service_unix.c b/src/libstrongswan/networking/streams/stream_service_unix.c index a9b71d6fd..ef967e817 100644 --- a/src/libstrongswan/networking/streams/stream_service_unix.c +++ b/src/libstrongswan/networking/streams/stream_service_unix.c @@ -59,13 +59,27 @@ stream_service_t *stream_service_create_unix(char *uri, int backlog) return NULL; } umask(old); - /* only attempt to chown() socket if we have CAP_CHOWN */ - if (lib->caps->check(lib->caps, CAP_CHOWN) && - chown(addr.sun_path, lib->caps->get_uid(lib->caps), - lib->caps->get_gid(lib->caps)) != 0) + /* Only attempt to change owner of socket if we have CAP_CHOWN. Otherwise, + * attempt to change group of socket to group under which charon runs after + * dropping caps. This requires the user that charon starts as to: + * a) Have write access to the socket dir. + * b) Belong to the group that charon will run under after dropping caps. */ + if (lib->caps->check(lib->caps, CAP_CHOWN)) { - DBG1(DBG_NET, "changing socket permissions for '%s' failed: %s", - uri, strerror(errno)); + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) + { + DBG1(DBG_NET, "changing socket owner/group for '%s' failed: %s", + uri, strerror(errno)); + } + } + else + { + if (chown(addr.sun_path, -1, lib->caps->get_gid(lib->caps)) != 0) + { + DBG1(DBG_NET, "changing socket group for '%s' failed: %s", + uri, strerror(errno)); + } } if (listen(fd, backlog) < 0) { |