Index: include/sockd.h =================================================================== RCS file: /share/inferno/src/socks/include/sockd.h,v retrieving revision 1.485 retrieving revision 1.487 diff -u -u -r1.485 -r1.487 --- include/sockd.h 23 Jun 2011 08:28:54 -0000 1.485 +++ include/sockd.h 24 Jun 2011 11:41:16 -0000 1.487 @@ -705,7 +705,7 @@ #if HAVE_PRIVILEGES typedef struct { - unsigned char noprivs; /* no privilege-switching possible? */ + unsigned char haveprivs; /* is privilege-switching possible? */ priv_set_t *unprivileged; priv_set_t *privileged; } privileges_t; @@ -1763,7 +1763,7 @@ void init_privs(void); /* - * Initializes the basic and permitted privilege set on. + * Initializes things based on configured userid/privilege settings. */ void Index: sockd/iface.c =================================================================== RCS file: /share/inferno/src/socks/sockd/iface.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -u -r1.11 -r1.12 --- sockd/iface.c 13 Jun 2011 08:35:14 -0000 1.11 +++ sockd/iface.c 24 Jun 2011 11:36:47 -0000 1.12 @@ -116,7 +116,7 @@ function, ifname); #if HAVE_SOLARIS_PRIVS - if (sockscf.privileges.noprivs) + if (!sockscf.privileges.haveprivs) swarnx("%s: parsing ifconfig output for interface %s failed. " "Retrieving the hardware address requires the elevated " "privileges on Solaris. Please make sure %s is started " Index: sockd/privileges.c =================================================================== RCS file: /share/inferno/src/socks/sockd/privileges.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -u -r1.24 -r1.25 --- sockd/privileges.c 13 Jun 2011 08:35:14 -0000 1.24 +++ sockd/privileges.c 24 Jun 2011 11:39:58 -0000 1.25 @@ -44,9 +44,9 @@ #include "common.h" static const char rcsid[] = -"$Id: privileges.c,v 1.24 2011/06/13 08:35:14 michaels Exp $"; +"$Id: privileges.c,v 1.24 2011/06/13 08:35:14 michaels Exp $"; -static privilege_t lastprivelege; +static privilege_t lastprivelege = SOCKD_PRIV_NOTSET; void init_privs(void) @@ -93,7 +93,7 @@ */ if (priv_delset(privset, PRIV_PROC_EXEC) != 0) { swarn("%s: can't remove %s privilege", function, PRIV_PROC_EXEC); - sockscf.privileges.noprivs = 1; + return; } #endif @@ -106,7 +106,7 @@ for (i = 0; i < ELEMENTS(extra_privs); ++i) if (priv_addset(privset, extra_privs[i]) != 0) { swarn("%s: can't add %s privilege", function, extra_privs[i]); - sockscf.privileges.noprivs = 1; + return; } else slog(LOG_DEBUG, "%s: added privilege %s to the privileged set", @@ -116,33 +116,31 @@ priv_copyset(privset, sockscf.privileges.privileged); priv_freeset(privset); - if (setppriv(PRIV_SET, PRIV_PERMITTED, sockscf.privileges.privileged) == -1){ + if (setppriv(PRIV_SET, PRIV_PERMITTED, sockscf.privileges.privileged) + == -1) { swarn("%s: can't set PRIV_PERMITTED privileged", function); - sockscf.privileges.noprivs = 1; + return; } /* this is what we'll be running with normally. */ if (setppriv(PRIV_SET, PRIV_EFFECTIVE, sockscf.privileges.unprivileged) == -1) { swarn("%s: can't set PRIV_EFFECTIVE to unprivileged", function); - sockscf.privileges.noprivs = 1; + return; } /* applied upon exec only. Only relevant for libwrap, or pam too? */ if (setppriv(PRIV_SET, PRIV_INHERITABLE, sockscf.privileges.unprivileged) == -1) { swarn("%s: can't set PRIV_INHERITABLE to unprivileged", function); - sockscf.privileges.noprivs = 1; + return; } setreuid(getuid(), getuid()); setregid(getgid(), getgid()); - if (sockscf.privileges.noprivs) - swarnx("%s: disabling privilege switching due to errors", function); - else - slog(LOG_DEBUG, "%s: privileges relinquished successfully", function); - + slog(LOG_DEBUG, "%s: privileges relinquished successfully", function); + sockscf.privileges.haveprivs = 1; #else /* !HAVE_SOLARIS_PRIVS */ if (socks_seteuid(NULL, sockscf.uid.unprivileged) != 0) @@ -153,8 +151,6 @@ function, (unsigned)sockscf.uid.unprivileged); #endif /* !HAVE_SOLARIS_PRIVS */ - - lastprivelege = SOCKD_PRIV_NOTSET; } void @@ -171,7 +167,7 @@ #endif /* !HAVE_SOLARIS_PRIVS */ #if HAVE_SOLARIS_PRIVS - if (sockscf.privileges.noprivs) + if (!sockscf.privileges.haveprivs) return; if (lastprivset == NULL) Index: sockd/sockd_child.c =================================================================== RCS file: /share/inferno/src/socks/sockd/sockd_child.c,v retrieving revision 1.276 retrieving revision 1.277 diff -u -u -r1.276 -r1.277 --- sockd/sockd_child.c 19 Jun 2011 14:33:57 -0000 1.276 +++ sockd/sockd_child.c 24 Jun 2011 11:36:47 -0000 1.277 @@ -320,7 +320,7 @@ #if HAVE_PRIVILEGES /* don't need this privilege any more, permanently loose it. */ - if (!sockscf.privileges.noprivs) { + if (sockscf.privileges.haveprivs) { priv_delset(sockscf.privileges.privileged, PRIV_FILE_DAC_WRITE); if (setppriv(PRIV_SET, PRIV_PERMITTED, sockscf.privileges.privileged) != 0) @@ -361,7 +361,7 @@ #if HAVE_PRIVILEGES /* doesn't need this privilege so permanently loose it. */ - if (!sockscf.privileges.noprivs) { + if (sockscf.privileges.haveprivs) { priv_delset(sockscf.privileges.privileged, PRIV_NET_PRIVADDR); if (setppriv(PRIV_SET, PRIV_PERMITTED, sockscf.privileges.privileged) != 0) Index: sockd/sockd_io.c =================================================================== RCS file: /share/inferno/src/socks/sockd/sockd_io.c,v retrieving revision 1.670 retrieving revision 1.671 diff -u -u -r1.670 -r1.671 --- sockd/sockd_io.c 23 Jun 2011 08:28:54 -0000 1.670 +++ sockd/sockd_io.c 24 Jun 2011 11:36:48 -0000 1.671 @@ -487,7 +487,7 @@ #if HAVE_PRIVILEGES /* don't need this privilege any more, permanently loose it. */ - if (!sockscf.privileges.noprivs) { + if (sockscf.privileges.haveprivs) { priv_delset(sockscf.privileges.privileged, PRIV_NET_ICMPACCESS); if (setppriv(PRIV_SET, PRIV_PERMITTED, sockscf.privileges.privileged) != 0)