[Libreoffice-commits] online.git: 2 commits - loolwsd/Capabilities.hpp loolwsd/debian loolwsd/LOOLKit.cpp loolwsd/loolwsd.spec.in loolwsd/Makefile.am

Tor Lillqvist tml at collabora.com
Mon Feb 29 10:22:11 UTC 2016 

 loolwsd/Capabilities.hpp        |    6 +++++-
 loolwsd/LOOLKit.cpp             |   19 +++++++++++++++++++
 loolwsd/Makefile.am             |    4 ++--
 loolwsd/debian/loolwsd.postinst |    4 ++--
 loolwsd/loolwsd.spec.in         |    4 ++--
 5 files changed, 30 insertions(+), 7 deletions(-)

New commits:
commit 509314d5598b68fa9a449a1a7348b10f25b7014a
Author: Tor Lillqvist <tml at collabora.com>
Date:   Mon Feb 29 12:15:18 2016 +0200

    Also chown the random devices to root:root and chmod to 666
    
    Otherwise they won't work. Not that I know whether this helps
    anything, really. At least the NSS crypto initialization still takes a
    long time.

diff --git a/loolwsd/LOOLKit.cpp b/loolwsd/LOOLKit.cpp
index 3aaec05..969bfdb 100644
--- a/loolwsd/LOOLKit.cpp
+++ b/loolwsd/LOOLKit.cpp
@@ -876,12 +876,30 @@ void lokit_main(const std::string& childRoot,
             Log::error("Error: mknod(" + jailPath.toString() + "/dev/random) failed.");
 
         }
+        if (chmod((jailPath.toString() + "/dev/random").c_str(), 0666) != 0)
+        {
+            Log::error("Error: chmod(" + jailPath.toString() + "/dev/random, 0666) failed.");
+
+        }
+        if (chown((jailPath.toString() + "/dev/random").c_str(), 0, 0) != 0)
+        {
+            Log::error("Error: chown(" + jailPath.toString() + "/dev/random, 0, 0) failed.");
+
+        }
         if (mknod((jailPath.toString() + "/dev/urandom").c_str(),
                   S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH,
                   makedev(1, 9)) != 0)
         {
             Log::error("Error: mknod(" + jailPath.toString() + "/dev/urandom) failed.");
         }
+        if (chmod((jailPath.toString() + "/dev/urandom").c_str(), 0666) != 0)
+        {
+            Log::error("Error: chmod(" + jailPath.toString() + "/dev/urandom, 0666) failed.");
+        }
+        if (chown((jailPath.toString() + "/dev/urandom").c_str(), 0, 0) != 0)
+        {
+            Log::error("Error: chown(" + jailPath.toString() + "/dev/urandom, 0, 0) failed.");
+        }
 #endif
 
         Log::info("chroot(\"" + jailPath.toString() + "\")");
@@ -900,6 +918,7 @@ void lokit_main(const std::string& childRoot,
 #ifdef __linux
         dropCapability(CAP_SYS_CHROOT);
         dropCapability(CAP_MKNOD);
+        dropCapability(CAP_CHOWN);
         dropCapability(CAP_FOWNER);
 #else
         dropCapability();
diff --git a/loolwsd/Makefile.am b/loolwsd/Makefile.am
index ec507b7..a8674de 100644
--- a/loolwsd/Makefile.am
+++ b/loolwsd/Makefile.am
@@ -46,8 +46,8 @@ all-local: loolwsd loolbroker
 	if test "$$BUILDING_FROM_RPMBUILD" != yes; then \
 	    if test `uname -s` = Linux; then \
 		sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolwsd; \
-		sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolbroker; \
-		sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolkit; \
+		sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolbroker; \
+		sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolkit; \
 	    else \
 		sudo chown root loolwsd && sudo chmod u+s loolwsd; \
 		sudo chown root loolbroker && sudo chmod u+s loolbroker; \
diff --git a/loolwsd/debian/loolwsd.postinst b/loolwsd/debian/loolwsd.postinst
index 6025356..ae4bb9e 100755
--- a/loolwsd/debian/loolwsd.postinst
+++ b/loolwsd/debian/loolwsd.postinst
@@ -5,8 +5,8 @@ set -e
 case "$1" in
     configure)
 	setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd || true
-	setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit || true
-	setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker || true
+	setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit || true
+	setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker || true
 
 	adduser --quiet --system --group --home /opt/lool lool
 	mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd
diff --git a/loolwsd/loolwsd.spec.in b/loolwsd/loolwsd.spec.in
index bae8447..c2dce99 100644
--- a/loolwsd/loolwsd.spec.in
+++ b/loolwsd/loolwsd.spec.in
@@ -70,8 +70,8 @@ echo "0 0 */1 * * root find /var/cache/loolwsd -name \"*.png\" -a -atime +10 -ex
 
 %post
 setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd
-setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker
-setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit
+setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker
+setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit
 
 getent group %{group} >/dev/null || groupadd -r %{group}
 getent passwd %{owner} >/dev/null || useradd -g %{group} -r %{owner}
commit d489f693726bfa6b0bcc9c258e54b267221af0d4
Author: Tor Lillqvist <tml at collabora.com>
Date:   Mon Feb 29 12:12:18 2016 +0200

    Log also capabilities before dropping

diff --git a/loolwsd/Capabilities.hpp b/loolwsd/Capabilities.hpp
index cb7e300..6c59c21 100644
--- a/loolwsd/Capabilities.hpp
+++ b/loolwsd/Capabilities.hpp
@@ -41,6 +41,10 @@ void dropCapability(
         exit(1);
     }
 
+    char *capText = cap_to_text(caps, nullptr);
+    Log::info("Capabilities first: " + std::string(capText));
+    cap_free(capText);
+
     if (cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1 ||
         cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1)
     {
@@ -54,7 +58,7 @@ void dropCapability(
         exit(1);
     }
 
-    char *capText = cap_to_text(caps, nullptr);
+    capText = cap_to_text(caps, nullptr);
     Log::info("Capabilities now: " + std::string(capText));
     cap_free(capText);

More information about the Libreoffice-commits mailing list