Traffic Server
  1. Traffic Server
  2. TS-1687

Solaris has POSIX capabilities, but TPROXY doesn't know of these.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 5.3.0
    • Component/s: Build, Portability
    • Labels:
      None

      Description

      When compiling ATS for Solaris, enabling the full feature set is impossible because currently the handling of POSIX capabilities (privileges under Solaris) is restricted to Linux:

      checking whether to enable transparent proxy... configure: error: in `/home/i.galic/src/trafficserver':
      configure: error: TPROXY feature requires POSIX capabilities.
      

      Here's the man page documenting privileges(5) - and here's a sample use, in the form of Apache httpd's mod_pvivileges

      Further man relevant man pages: getpriv(2), setppriv(2) getpflags(2), setpflags(2)

      As well as the "highlevel API" (convinience wrappers) such as priv_set(3C)

        Activity

        Hide
        Igor Galić added a comment -

        Since 9.0 Capsicum provides a fine-grained privileges framework for FreeBSD.
        cap_enter(2) and cap_new(2) document the main calls we need to implement a these calls for FreeBSD.

        Show
        Igor Galić added a comment - Since 9.0 Capsicum provides a fine-grained privileges framework for FreeBSD. cap_enter(2) and cap_new(2) document the main calls we need to implement a these calls for FreeBSD.
        Hide
        Igor Galić added a comment -

        Sorry, just ignore anything I ever said about FreeBSD.

        # include <sys/capability.h>
        # include <stdio.h>
        # include <stdlib.h>
        # include <sys/procdesc.h>
        # include <string.h>
        # include <errno.h>
        
        int main (int argc, char *argv[])
        {
          int pfd, pid, cap_fd, status;
        
          pid = pdfork(&pfd, 0);
          if (pid < 0) { 
            fprintf(stderr, "failed to pdfork: (%d): %s\n", errno, strerror(errno));
            exit(EXIT_FAILURE);
          }
          if (pid > 0) {
            cap_fd = cap_new(pfd, CAP_ACCEPT|CAP_CONNECT|CAP_BIND|CAP_LISTEN);
            if (cap_fd < 0) {
              fprintf(stderr, "failed to drop privileges: (%d): %s\n", errno, strerror(errno));
              exit(EXIT_FAILURE);
            }
          }
          status = cap_enter();
          if (status < 0) {
            fprintf(stderr, "failed to enter sandbox: (%d): %s\n", errno, strerror(errno));
            exit(EXIT_FAILURE);
          }
          return 0;
        }
        

        Result:

        igalic@daemonix ~/src/cap % ./daemon
        failed to pdfork: (78): Function not implemented
        
        Show
        Igor Galić added a comment - Sorry, just ignore anything I ever said about FreeBSD. # include <sys/capability.h> # include <stdio.h> # include <stdlib.h> # include <sys/procdesc.h> # include <string.h> # include <errno.h> int main ( int argc, char *argv[]) { int pfd, pid, cap_fd, status; pid = pdfork(&pfd, 0); if (pid < 0) { fprintf(stderr, "failed to pdfork: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } if (pid > 0) { cap_fd = cap_new(pfd, CAP_ACCEPT|CAP_CONNECT|CAP_BIND|CAP_LISTEN); if (cap_fd < 0) { fprintf(stderr, "failed to drop privileges: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } } status = cap_enter(); if (status < 0) { fprintf(stderr, "failed to enter sandbox: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } return 0; } Result: igalic@daemonix ~/src/cap % ./daemon failed to pdfork: (78): Function not implemented
        Hide
        James Peach added a comment -

        Moving out to sometime until someone with an interest in Solaris volunteers to do this.

        Show
        James Peach added a comment - Moving out to sometime until someone with an interest in Solaris volunteers to do this.

          People

          • Assignee:
            Unassigned
            Reporter:
            Igor Galić
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:

              Development