[Git][NTPsec/ntpsec][master] 2 commits: Address GitLab issue #70: waf should die if...

Wed Jul 6 11:52:30 UTC 2016

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
4b82ee92 by Eric S. Raymond at 2016-07-06T06:59:07-04:00
Address GitLab issue #70: waf should die if...

...it can't find sys/capability.h on linux.

I've turned this into a more general check and moved it to
runtime. This gives operators the ability to recover by leaving off
the -u and -i options.

- - - - -
26148470 by Eric S. Raymond at 2016-07-06T07:51:56-04:00
Minor documentation typo fixes.

- - - - -


4 changed files:

- NEWS
- docs/index.txt
- ntpd/ntp_sandbox.c
- ntpd/ntpd.c


Changes:

=====================================
NEWS
=====================================

--- a/NEWS
+++ b/NEWS
@@ -59,8 +59,8 @@ NTP Classic:
   (Credit: Matt Street et. al. of Cisco ASIG)
 [Bug 3008] (CVE-2016-2519) ctl_getitem() return value not always checked
   (Credit: Yihan Lian of the Qihoo 360 cloud security team)
-[Bug 2978] (CVE-2016-1548) Interleave-pivot (Credit: Miroslav Lichvar of
-  RedHat and Jonathan Gardner of Cisco ASIG)
+[Bug 2978] (CVE-2016-1548) Interleave-pivot
+  (Credit: Miroslav Lichvar of RedHat and Jonathan Gardner of Cisco ASIG)
 
 The following non-security fixes have been
 forward-ported from Classic:


=====================================
docs/index.txt
=====================================
--- a/docs/index.txt
+++ b/docs/index.txt
@@ -142,7 +142,7 @@ few will be user-visible.
   namespace. Also, +ntp-keygen+ is now +{ntpkeygen}+, +ntp-wait+
   is {ntpwait}, and +update-leap+ is now +{ntpleapfetch}+.
 
-* A new utility, {ntpfrob}, collects several small diagnostic functions
+* A new utility, +{ntpfrob}+, collects several small diagnostic functions
   for reading and tweaking the local clock hardware, including reading
   the clock tick rate, precision, and jitter. Part of it formerly
   traveled as +tickadj+.


=====================================
ntpd/ntp_sandbox.c
=====================================
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -58,10 +58,16 @@ bool sandbox(const bool droproot,
 	UNUSED_ARG(want_dynamic_interface_tracking);
 #endif /* HAVE_LINUX_CAPABILITY */
 	bool nonroot = false;
+#if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
+	if (droproot) {
+		msyslog(LOG_ERR,
+			"root can't be dropped due to missing capabilities.");
+		exit(-1);
+	}
+#endif /* !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS) */
 # ifdef ENABLE_DROPROOT
 	if (droproot) {
 		/* Drop super-user privileges and chroot now if the OS supports this */
-
 #  ifdef HAVE_LINUX_CAPABILITY
 		/* set flag: keep privileges across setuid() call. */
 		if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) {


=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -942,7 +942,7 @@ ntpdmain(
 	intercept_getconfig(explicit_config);
 
 	/*
-	 * ntpd's working set is never going to be larege relative to memory
+	 * ntpd's working set is never going to be large relative to memory
 	 * availability on modern machines. Do what chrony does and indulge it;
 	 * we get some latency improvement that way.
 	 */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/af329dabe17c77340f75079c5d39a0221e373030...26148470017816b7830bedcc0b49a9d24a24e493
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160706/32ccb860/attachment.html>
