[gnome-keyring] If we're using linux capabilities then use setcap instead of setuid.

From: Stefan Walter <stefw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-keyring] If we're using linux capabilities then use setcap instead of setuid.
Date: Wed, 16 Mar 2011 14:30:30 +0000 (UTC)

commit b9d69a5751c421cca2bee9bab78c1067e1d1acac
Author: Stef Walter <stefw collabora co uk>
Date:   Wed Mar 16 15:26:44 2011 +0100

    If we're using linux capabilities then use setcap instead of setuid.
    
    Only use setuid when not using linux capabilities. Run this on
    install when we are using caps:
    
    setcap cap_ipc_lock=ep $(DESTDIR)$(bindir)/gnome-keyring-daemon

 configure.in       |    4 +++-
 daemon/Makefile.am |   12 ++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)
---
diff --git a/configure.in b/configure.in
index a5a434d..c000ed9 100644
--- a/configure.in
+++ b/configure.in
@@ -445,13 +445,15 @@ fi
 
 AC_CHECK_LIB([cap-ng], [capng_clear], have_libcapng="yes", have_libcapng="no")
 
-if test $have_libcapng = yes; then
+if test "$have_libcapng" = "yes"; then
    AC_DEFINE(HAVE_LIBCAPNG, 1, [Have libcap-ng package, libcap-ng library])
    DAEMON_LIBS="$DAEMON_LIBS -lcap-ng"
 else
+   have_lipcapng="no"
    AC_MSG_WARN([libcap-ng (or development headers) is not installed])
 fi
 
+AM_CONDITIONAL(WITH_CAPS, test "$have_libcapng" = "yes")
 libcapng_status=$have_libcapng
 
 # --------------------------------------------------------------------
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index a6db20f..7ecfe24 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -79,13 +79,21 @@ CLEANFILES = \
 	$(service_DATA) \
 	$(desktop_DATA)
 
+if WITH_CAPS
+
+# Set the relevant capabilities on the daemon
+install-exec-hook:
+	setcap cap_ipc_lock=ep $(DESTDIR)$(bindir)/gnome-keyring-daemon || true
+
+else # without caps
+
 # The daemon is installed as setuid so as to obtain specialized
 # capabilities, then immediately drops permissions. In other words,
 # it does *not* run as setuid.
-# If installing as non-root, chown+chmod will not succeed but
-# the build will continue.
 install-exec-hook:
 	chown root $(DESTDIR)$(bindir)/gnome-keyring-daemon || true
 	chmod u+s $(DESTDIR)$(bindir)/gnome-keyring-daemon || true
 
+endif # without caps
+
 @INTLTOOL_DESKTOP_RULE@

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]