diff options
Diffstat (limited to 'recipes/gnupg/gnupg-1.4.2.2/16_min_privileges.patch')
| -rw-r--r-- | recipes/gnupg/gnupg-1.4.2.2/16_min_privileges.patch | 68 |
1 files changed, 0 insertions, 68 deletions
diff --git a/recipes/gnupg/gnupg-1.4.2.2/16_min_privileges.patch b/recipes/gnupg/gnupg-1.4.2.2/16_min_privileges.patch deleted file mode 100644 index b29233b33b..0000000000 --- a/recipes/gnupg/gnupg-1.4.2.2/16_min_privileges.patch +++ /dev/null @@ -1,68 +0,0 @@ ---- gnupg-1.4.0/g10/g10.c 2004-12-16 09:47:36.000000000 +0000 -+++ /tmp/dpep.O5S02c/gnupg-1.4.0/g10/g10.c 2005-02-03 23:31:40.645873299 +0000 -@@ -69,6 +69,11 @@ - #endif - - -+#ifdef USE_CAPABILITIES -+#include <sys/capability.h> -+#include <sys/prctl.h> -+#endif -+ - enum cmd_and_opt_values - { - aNull = 0, -@@ -1618,6 +1623,10 @@ - #ifdef USE_SHM_COPROCESSING - ulong requested_shm_size=0; - #endif -+#ifdef USE_CAPABILITIES -+ uid_t curr_uid; -+ cap_t caps; -+#endif - - #ifdef __riscos__ - opt.lock_once = 1; -@@ -1629,6 +1638,33 @@ - * when adding any stuff between here and the call to - * secmem_init() somewhere after the option parsing - */ -+ -+ /* if we use capabilities and run as root, we can immediately setuid back -+ * to the normal user and only keep CAP_IPC_LOCK until the shared memory is -+ * set up. -+ */ -+#ifdef USE_CAPABILITIES -+ curr_uid = getuid(); -+ if( curr_uid && !geteuid() ) { /* we are setuid root */ -+ if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) { -+ perror( "main(): could not keep capabilities" ); -+ return -100; -+ } -+ -+ if( setuid( curr_uid ) ) { -+ perror( "main(): could not set user id" ); -+ return -100; -+ } -+ -+ caps = cap_from_text( "cap_ipc_lock=p" ); -+ if( cap_set_proc( caps ) ) { -+ perror( "main(): could not install capabilities" ); -+ return -100; -+ } -+ cap_free( caps ); -+ } -+#endif -+ - log_set_name("gpg"); - secure_random_alloc(); /* put random number into secure memory */ - may_coredump = disable_core_dumps(); -@@ -1747,7 +1783,7 @@ - } - #endif - /* initialize the secure memory. */ -- got_secmem=secmem_init( 32768 ); -+ got_secmem=secmem_init( 32768 ); /* this will drop all remaining privileges */ - maybe_setuid = 0; - /* Okay, we are now working under our real uid */ - |