39 #ifdef HAVE_SYS_PRCTL_H
40 #include <sys/prctl.h>
60 capng_clear(CAPNG_SELECT_BOTH);
66 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
73 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
74 CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
79 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
86 if (capng_change_id(userid, groupid, CAPNG_DROP_SUPP_GRP |
87 CAPNG_CLEAR_BOUNDING) < 0)
93 SCLogInfo(
"dropped the caps for main thread");
99 capng_clear(CAPNG_SELECT_BOTH);
100 capng_apply(CAPNG_SELECT_BOTH);
102 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_IPC_LOCK);
103 capng_apply(CAPNG_SELECT_CAPS);
107 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_ADMIN);
108 capng_apply(CAPNG_SELECT_CAPS);
112 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BIND_SERVICE);
113 capng_apply(CAPNG_SELECT_CAPS);
114 SCLogDebug(
"For thread \"%s\" CAP_NET_BIND_SERVICE has been set",
tv->
name);
117 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BROADCAST);
118 capng_apply(CAPNG_SELECT_CAPS);
122 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_RAW);
123 capng_apply(CAPNG_SELECT_CAPS);
127 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_ADMIN);
128 capng_apply(CAPNG_SELECT_CAPS);
132 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_RAWIO);
133 capng_apply(CAPNG_SELECT_CAPS);
150 void SCGetUserID(
const char *user_name,
const char *group_name, uint32_t *uid, uint32_t *gid)
153 uint32_t groupid = 0;
156 if (user_name == NULL || strlen(user_name) == 0) {
157 FatalError(
"no user name was provided - ensure it is specified either in the configuration "
158 "file (run-as.user) or in command-line arguments (--user)");
162 if (isdigit((
unsigned char)user_name[0]) != 0) {
164 FatalError(
"invalid user id value: '%s'", user_name);
166 pw = getpwuid(userid);
169 "check if user exist!!");
172 pw = getpwnam(user_name);
175 "check if user exist!!");
181 if (group_name != NULL) {
184 if (isdigit((
unsigned char)group_name[0]) != 0) {
186 FatalError(
"invalid group id: '%s'", group_name);
189 gp = getgrnam(group_name);
192 " ID, check if group exist!!");
194 groupid = gp->gr_gid;
197 groupid = pw->pw_gid;
222 if (group_name == NULL || strlen(group_name) == 0) {
223 FatalError(
"no group name was provided - ensure it is specified either in the "
224 "configuration file (run-as.group) or in command-line arguments (--group)");
228 if (isdigit((
unsigned char)group_name[0]) != 0) {
230 FatalError(
"invalid group id: '%s'", group_name);
233 gp = getgrnam(group_name);
236 " check if group exist!!");
250 int ret = pledge(
"stdio rpath wpath cpath fattr unix dns bpf", NULL);
254 " check permissions!! ret=%i errno=%i",