[ntpsec commit] Fix minor refactoring error when Linux capabilities are present.

Eric S. Raymond esr at ntpsec.org
Tue Oct 20 21:51:06 UTC 2015 

Module:    ntpsec
Branch:    master
Commit:    859f56433409d57dc1ab8165273463952bf4f2cf
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=859f56433409d57dc1ab8165273463952bf4f2cf

Author:    Eric S. Raymond <esr at thyrsus.com>
Date:      Tue Oct 20 17:50:11 2015 -0400

Fix minor refactoring error when Linux capabilities are present.

---

 ntpd/ntp_sandbox.c | 14 +++++++++-----
 ntpd/ntpd.c        |  5 +++--
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
index ec609b0..d66becd 100644
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -51,7 +51,8 @@ struct passwd *pw;
 
 bool sandbox(const bool droproot,
 	     const char *user, const char *group,
-	     const char *chrootdir)
+	     const char *chrootdir,
+	     bool want_dynamic_interface_tracking)
 {
 	bool nonroot = false;
 # ifdef ENABLE_DROPROOT
@@ -190,14 +191,17 @@ getgroup:
 #  ifdef HAVE_LINUX_CAPABILITY
 		{
 			/*
-			 *  We may be running under non-root uid now, but we still hold full root privileges!
-			 *  We drop all of them, except for the crucial one or two: cap_sys_time and
-			 *  cap_net_bind_service if doing dynamic interface tracking.
+			 *  We may be running under non-root uid now,
+			 *  but we still hold full root privileges!
+			 *  We drop all of them, except for the
+			 *  crucial one or two: cap_sys_time and
+			 *  cap_net_bind_service for doing dynamic
+			 *  interface tracking.
 			 */
 			cap_t caps;
 			char *captext;
 			
-			captext = (0 != interface_interval)
+			captext = want_dynanic_interface_tracking
 				      ? "cap_sys_time,cap_net_bind_service=pe"
 				      : "cap_sys_time=pe";
 			caps = cap_from_text(captext);
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 4e363e3..3b152c1 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -42,7 +42,8 @@
 
 extern bool sandbox(const bool droproot,
 		    const char *user, const char *group,
-		    const char *chrootdir);
+		    const char *chrootdir,
+		    bool want_dynamic_interface_tracking);
 
 #ifdef SIGDANGER
 # include <ulimit.h>
@@ -916,7 +917,7 @@ ntpdmain(
 		msyslog(LOG_WARNING, "-6/--ipv6 ignored, IPv6 networking not found.");
 
 	/* drop root privileges */
-	if (sandbox(droproot, user, group, chrootdir) && interface_interval) {
+	if (sandbox(droproot, user, group, chrootdir, interface_interval!=0) && interface_interval) {
 		interface_interval = 0;
 		msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
 	}

More information about the vc mailing list