39 #ifdef HAVE_SYS_PRCTL_H
40 #include <sys/prctl.h>
56 capng_clear(CAPNG_SELECT_BOTH);
62 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
70 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
79 if (capng_change_id(userid, groupid, CAPNG_DROP_SUPP_GRP |
80 CAPNG_CLEAR_BOUNDING) < 0)
86 SCLogInfo(
"dropped the caps for main thread");
92 capng_clear(CAPNG_SELECT_BOTH);
93 capng_apply(CAPNG_SELECT_BOTH);
95 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_IPC_LOCK);
96 capng_apply(CAPNG_SELECT_CAPS);
100 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_ADMIN);
101 capng_apply(CAPNG_SELECT_CAPS);
105 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BIND_SERVICE);
106 capng_apply(CAPNG_SELECT_CAPS);
107 SCLogDebug(
"For thread \"%s\" CAP_NET_BIND_SERVICE has been set",
tv->
name);
110 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BROADCAST);
111 capng_apply(CAPNG_SELECT_CAPS);
115 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_RAW);
116 capng_apply(CAPNG_SELECT_CAPS);
120 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_ADMIN);
121 capng_apply(CAPNG_SELECT_CAPS);
125 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_RAWIO);
126 capng_apply(CAPNG_SELECT_CAPS);
143 void SCGetUserID(
const char *user_name,
const char *group_name, uint32_t *uid, uint32_t *gid)
146 uint32_t groupid = 0;
149 if (user_name == NULL || strlen(user_name) == 0) {
150 FatalError(
"no user name was provided - ensure it is specified either in the configuration "
151 "file (run-as.user) or in command-line arguments (--user)");
155 if (isdigit((
unsigned char)user_name[0]) != 0) {
157 FatalError(
"invalid user id value: '%s'", user_name);
159 pw = getpwuid(userid);
162 "check if user exist!!");
165 pw = getpwnam(user_name);
168 "check if user exist!!");
174 if (group_name != NULL) {
177 if (isdigit((
unsigned char)group_name[0]) != 0) {
179 FatalError(
"invalid group id: '%s'", group_name);
182 gp = getgrnam(group_name);
185 " ID, check if group exist!!");
187 groupid = gp->gr_gid;
190 groupid = pw->pw_gid;
215 if (group_name == NULL || strlen(group_name) == 0) {
216 FatalError(
"no group name was provided - ensure it is specified either in the "
217 "configuration file (run-as.group) or in command-line arguments (--group)");
221 if (isdigit((
unsigned char)group_name[0]) != 0) {
223 FatalError(
"invalid group id: '%s'", group_name);
226 gp = getgrnam(group_name);
229 " check if group exist!!");
243 int ret = pledge(
"stdio rpath wpath cpath fattr unix dns bpf", NULL);
247 " check permissions!! ret=%i errno=%i",