* Fixed lowering privileges in proc ipforward method.

* Fixed "(no) ipv6 forwarding" command logic.
* Added --disable-capabilities switch to configure.

diff --git a/ChangeLog b/ChangeLog
index 143df370e2cceee5d1f8f8b91c8c09bc51a56c62..36c421f43c00a9cd217d8dbe56316f1f12982c02 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2004-04-06 Hasso Tepper <hasso@estpak.ee>
+       
+       * zebra/ipforward_proc.c: Fixed lowering privileges.
+       * zebra/zserv.c: Fixed "(no) ipv6 forwarding" command logic.
+       * configure.ac: Added --disable-capabilities switch to configure.
+
 2004-03-22 Hasso Tepper <hasso@estpak.ee>
 
        * Readded SIGTERM handling so daemons can clean up their stuff if they

diff --git a/configure.ac b/configure.ac
index 5f304db666aaf8c43ab00c286111c2eeaf8398d1..b55685ae578bb93c52fad82a9080bd295c600e9b 100755 (executable)
--- a/configure.ac
+++ b/configure.ac
@@ -124,6 +124,8 @@ AC_ARG_ENABLE(logfile_mask,
 
 AC_ARG_ENABLE(rtadv,
 [  --disable-rtadv         disable IPV6 router advertisement feature])
+AC_ARG_ENABLE(capabilities,
+[  --disable-capabilities        disable using POSIX capabilities])
 
 if test "${enable_broken_aliases}" = "yes"; then
   if test "${enable_netlink}" = "yes"
@@ -970,22 +972,24 @@ AC_TRY_COMPILE([#include <sys/resource.h>
 dnl -------------------
 dnl capabilities checks
 dnl -------------------
-AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available)
-AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);],
-  [AC_MSG_RESULT(yes)
-   AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl)
-   quagga_ac_keepcaps="yes"],
-   AC_MSG_RESULT(no)
-)
-if test x"${quagga_ac_keepcaps}" = x"yes"; then
-  AC_CHECK_HEADERS(sys/capability.h)
-fi
-if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then
-  AC_CHECK_LIB(cap, cap_init, 
-    [AC_DEFINE(HAVE_LCAPS,1,Capabilities)
-     LIBCAP="-lcap"
-    ]
+if test "${enable_capabilities}" != "no"; then
+  AC_MSG_CHECKING(whether prctl PR_SET_KEEPCAPS is available)
+  AC_TRY_COMPILE([#include <sys/prctl.h>],[prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);],
+    [AC_MSG_RESULT(yes)
+     AC_DEFINE(HAVE_PR_SET_KEEPCAPS,,prctl)
+     quagga_ac_keepcaps="yes"],
+     AC_MSG_RESULT(no)
   )
+  if test x"${quagga_ac_keepcaps}" = x"yes"; then
+    AC_CHECK_HEADERS(sys/capability.h)
+  fi
+  if test x"${ac_cv_header_sys_capability_h}" = x"yes"; then
+    AC_CHECK_LIB(cap, cap_init, 
+      [AC_DEFINE(HAVE_LCAPS,1,Capabilities)
+       LIBCAP="-lcap"
+      ]
+    )
+  fi
 fi
 AC_SUBST(LIBCAP)
 

diff --git a/zebra/ipforward_proc.c b/zebra/ipforward_proc.c
index befa2369ecbe290fb6efdf4328d9fc7bebdaa554..4c30cf678b0ef26e71013be047efe79363c3df3a 100644 (file)
--- a/zebra/ipforward_proc.c
+++ b/zebra/ipforward_proc.c
@@ -81,16 +81,19 @@ ipforward_on ()
 
   fp = fopen (proc_ipv4_forwarding, "w");
 
-  if ( zserv_privs.change(ZPRIVS_LOWER) )
-       zlog_err ("Can't lower privileges, %s", strerror (errno));
-    
-  if (fp == NULL)
+  if (fp == NULL) {
+    if ( zserv_privs.change(ZPRIVS_LOWER) )
+      zlog_err ("Can't lower privileges, %s", strerror (errno));
     return -1;
+  }
 
   fprintf (fp, "1\n");
 
   fclose (fp);
 
+  if ( zserv_privs.change(ZPRIVS_LOWER) )
+    zlog_err ("Can't lower privileges, %s", strerror (errno));
+
   return ipforward ();
 }
 
@@ -104,17 +107,19 @@ ipforward_off ()
 
   fp = fopen (proc_ipv4_forwarding, "w");
 
-  if ( zserv_privs.change(ZPRIVS_LOWER) )
-       zlog_err ("Can't lower privileges, %s", strerror (errno));
-
-  
-  if (fp == NULL)
+  if (fp == NULL) {
+    if ( zserv_privs.change(ZPRIVS_LOWER) )
+      zlog_err ("Can't lower privileges, %s", strerror (errno));
     return -1;
+  }
 
   fprintf (fp, "0\n");
 
   fclose (fp);
 
+  if ( zserv_privs.change(ZPRIVS_LOWER) )
+    zlog_err ("Can't lower privileges, %s", strerror (errno));
+
   return ipforward ();
 }
 #ifdef HAVE_IPV6
@@ -149,16 +154,19 @@ ipforward_ipv6_on ()
 
   fp = fopen (proc_ipv6_forwarding, "w");
 
-  if ( zserv_privs.change(ZPRIVS_LOWER) )
-       zlog_err ("Can't lower privileges, %s", strerror (errno));
-  
-  if (fp == NULL)
+  if (fp == NULL) {
+    if ( zserv_privs.change(ZPRIVS_LOWER) )
+      zlog_err ("Can't lower privileges, %s", strerror (errno));
     return -1;
+  }
 
   fprintf (fp, "1\n");
 
   fclose (fp);
 
+  if ( zserv_privs.change(ZPRIVS_LOWER) )
+    zlog_err ("Can't lower privileges, %s", strerror (errno));
+
   return ipforward_ipv6 ();
 }
 
@@ -172,16 +180,19 @@ ipforward_ipv6_off ()
 
   fp = fopen (proc_ipv6_forwarding, "w");
 
-  if ( zserv_privs.change(ZPRIVS_LOWER) )
-       zlog_err ("Can't lower privileges, %s", strerror (errno));
-  
-  if (fp == NULL)
+  if (fp == NULL) {
+    if ( zserv_privs.change(ZPRIVS_LOWER) )
+      zlog_err ("Can't lower privileges, %s", strerror (errno));
     return -1;
+  }
 
   fprintf (fp, "0\n");
 
   fclose (fp);
 
+  if ( zserv_privs.change(ZPRIVS_LOWER) )
+    zlog_err ("Can't lower privileges, %s", strerror (errno));
+
   return ipforward_ipv6 ();
 }
 #endif /* HAVE_IPV6 */

diff --git a/zebra/zserv.c b/zebra/zserv.c
index 833b369dc57815703285d202ed806588658293b8..c623151ea62ba9271c9efd0eb338ae3f53f8accc 100644 (file)
--- a/zebra/zserv.c
+++ b/zebra/zserv.c
@@ -1919,8 +1919,15 @@ DEFUN (ipv6_forwarding,
 {
   int ret;
 
-  ret = ipforward_ipv6_on ();
+  ret = ipforward_ipv6 ();
   if (ret != 0)
+    {
+      vty_out (vty, "IPv6 forwarding is already on%s", VTY_NEWLINE);
+      return CMD_ERR_NOTHING_TODO;
+    }
+
+  ret = ipforward_ipv6_on ();
+  if (ret == 0)
     {
       vty_out (vty, "Can't turn on IPv6 forwarding%s", VTY_NEWLINE);
       return CMD_WARNING;
@@ -1938,6 +1945,13 @@ DEFUN (no_ipv6_forwarding,
 {
   int ret;
 
+  ret = ipforward_ipv6 ();
+  if (ret == 0)
+    {
+      vty_out (vty, "IP forwarding is already off%s", VTY_NEWLINE);
+      return CMD_ERR_NOTHING_TODO;
+    }
+
   ret = ipforward_ipv6_off ();
   if (ret != 0)
     {