[Pkg-privacy-commits] [torsocks] 22/38: Detect capabilities in torsocks wrapper

Intrigeri intrigeri at moszumanska.debian.org
Thu Jun 23 15:18:24 UTC 2016 

This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch experimental/master
in repository torsocks.

commit d03ab856ed770a8a7f925648f3ebd23f3e7e46c8
Author: Shawn Landden <shawn at churchofgit.com>
Date:   Wed Dec 2 02:24:29 2015 -0800

    Detect capabilities in torsocks wrapper
    
    In addition to trying to detect them in the torsocks library, we also check
    for capabilities in the torsocks wrapper.
    
    Signed-off-by: Shawn Landden <shawn at churchofgit.com>
    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
 src/bin/torsocks.in | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/bin/torsocks.in b/src/bin/torsocks.in
index 2a459b3..5102fdc 100644
--- a/src/bin/torsocks.in
+++ b/src/bin/torsocks.in
@@ -96,21 +96,36 @@ tor_shell ()
 torify_app ()
 {
 	local app_path=`which $1`
-
-	# NEVER remove that line or else nothing it torified.
-	set_ld_preload
+	local getcap=`PATH="$PATH:/usr/sbin:/sbin" which getcap`
+	local caps=
 
 	if [ -z $1 ]; then
 		echo "Please provide an application to torify." >&2
 	elif [ -z $app_path ]; then
 		echo "ERROR: $1 cannot be found." >&2
 		exit 1
-	elif [ -u $app_path ]; then
+	fi
+
+	# This must be before torifying because getcap uses cap_get_file(3)
+	# via syscall(2) which breaks torsocks.
+	if [ -n $getcap ]; then
+		caps=`$getcap $app_path`
+	fi
+
+	# NEVER remove that line or else nothing it torified.
+	set_ld_preload
+
+	if [ -u $app_path ]; then
 		echo "ERROR: $1 is setuid. torsocks will not work on a setuid executable." >&2
 		exit 1
 	elif [ -g $app_path ]; then
 		echo "ERROR: $1 is setgid. torsocks will not work on a setgid executable." >&2
 		exit 1
+	elif [ -n "$caps" ]; then
+		echo "ERROR: $1 gains the following elevated capabilities. torsocks will \
+not work with privledged executables.
+$caps" >&2
+		exit 1
 	fi
 
 	exec "$@"

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torsocks.git

More information about the Pkg-privacy-commits mailing list