[Libreoffice-commits] online.git: 2 commits - loolwsd/Capabilities.hpp loolwsd/debian loolwsd/LOOLKit.cpp loolwsd/loolwsd.spec.in loolwsd/Makefile.am
Tor Lillqvist
tml at collabora.com
Mon Feb 29 10:22:11 UTC 2016
loolwsd/Capabilities.hpp | 6 +++++-
loolwsd/LOOLKit.cpp | 19 +++++++++++++++++++
loolwsd/Makefile.am | 4 ++--
loolwsd/debian/loolwsd.postinst | 4 ++--
loolwsd/loolwsd.spec.in | 4 ++--
5 files changed, 30 insertions(+), 7 deletions(-)
New commits:
commit 509314d5598b68fa9a449a1a7348b10f25b7014a
Author: Tor Lillqvist <tml at collabora.com>
Date: Mon Feb 29 12:15:18 2016 +0200
Also chown the random devices to root:root and chmod to 666
Otherwise they won't work. Not that I know whether this helps
anything, really. At least the NSS crypto initialization still takes a
long time.
diff --git a/loolwsd/LOOLKit.cpp b/loolwsd/LOOLKit.cpp
index 3aaec05..969bfdb 100644
--- a/loolwsd/LOOLKit.cpp
+++ b/loolwsd/LOOLKit.cpp
@@ -876,12 +876,30 @@ void lokit_main(const std::string& childRoot,
Log::error("Error: mknod(" + jailPath.toString() + "/dev/random) failed.");
}
+ if (chmod((jailPath.toString() + "/dev/random").c_str(), 0666) != 0)
+ {
+ Log::error("Error: chmod(" + jailPath.toString() + "/dev/random, 0666) failed.");
+
+ }
+ if (chown((jailPath.toString() + "/dev/random").c_str(), 0, 0) != 0)
+ {
+ Log::error("Error: chown(" + jailPath.toString() + "/dev/random, 0, 0) failed.");
+
+ }
if (mknod((jailPath.toString() + "/dev/urandom").c_str(),
S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH,
makedev(1, 9)) != 0)
{
Log::error("Error: mknod(" + jailPath.toString() + "/dev/urandom) failed.");
}
+ if (chmod((jailPath.toString() + "/dev/urandom").c_str(), 0666) != 0)
+ {
+ Log::error("Error: chmod(" + jailPath.toString() + "/dev/urandom, 0666) failed.");
+ }
+ if (chown((jailPath.toString() + "/dev/urandom").c_str(), 0, 0) != 0)
+ {
+ Log::error("Error: chown(" + jailPath.toString() + "/dev/urandom, 0, 0) failed.");
+ }
#endif
Log::info("chroot(\"" + jailPath.toString() + "\")");
@@ -900,6 +918,7 @@ void lokit_main(const std::string& childRoot,
#ifdef __linux
dropCapability(CAP_SYS_CHROOT);
dropCapability(CAP_MKNOD);
+ dropCapability(CAP_CHOWN);
dropCapability(CAP_FOWNER);
#else
dropCapability();
diff --git a/loolwsd/Makefile.am b/loolwsd/Makefile.am
index ec507b7..a8674de 100644
--- a/loolwsd/Makefile.am
+++ b/loolwsd/Makefile.am
@@ -46,8 +46,8 @@ all-local: loolwsd loolbroker
if test "$$BUILDING_FROM_RPMBUILD" != yes; then \
if test `uname -s` = Linux; then \
sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolwsd; \
- sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolbroker; \
- sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolkit; \
+ sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolbroker; \
+ sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolkit; \
else \
sudo chown root loolwsd && sudo chmod u+s loolwsd; \
sudo chown root loolbroker && sudo chmod u+s loolbroker; \
diff --git a/loolwsd/debian/loolwsd.postinst b/loolwsd/debian/loolwsd.postinst
index 6025356..ae4bb9e 100755
--- a/loolwsd/debian/loolwsd.postinst
+++ b/loolwsd/debian/loolwsd.postinst
@@ -5,8 +5,8 @@ set -e
case "$1" in
configure)
setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd || true
- setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit || true
- setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker || true
+ setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit || true
+ setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker || true
adduser --quiet --system --group --home /opt/lool lool
mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd
diff --git a/loolwsd/loolwsd.spec.in b/loolwsd/loolwsd.spec.in
index bae8447..c2dce99 100644
--- a/loolwsd/loolwsd.spec.in
+++ b/loolwsd/loolwsd.spec.in
@@ -70,8 +70,8 @@ echo "0 0 */1 * * root find /var/cache/loolwsd -name \"*.png\" -a -atime +10 -ex
%post
setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd
-setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker
-setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit
+setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker
+setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit
getent group %{group} >/dev/null || groupadd -r %{group}
getent passwd %{owner} >/dev/null || useradd -g %{group} -r %{owner}
commit d489f693726bfa6b0bcc9c258e54b267221af0d4
Author: Tor Lillqvist <tml at collabora.com>
Date: Mon Feb 29 12:12:18 2016 +0200
Log also capabilities before dropping
diff --git a/loolwsd/Capabilities.hpp b/loolwsd/Capabilities.hpp
index cb7e300..6c59c21 100644
--- a/loolwsd/Capabilities.hpp
+++ b/loolwsd/Capabilities.hpp
@@ -41,6 +41,10 @@ void dropCapability(
exit(1);
}
+ char *capText = cap_to_text(caps, nullptr);
+ Log::info("Capabilities first: " + std::string(capText));
+ cap_free(capText);
+
if (cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1 ||
cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1)
{
@@ -54,7 +58,7 @@ void dropCapability(
exit(1);
}
- char *capText = cap_to_text(caps, nullptr);
+ capText = cap_to_text(caps, nullptr);
Log::info("Capabilities now: " + std::string(capText));
cap_free(capText);
More information about the Libreoffice-commits
mailing list