Traffic Server
  1. Traffic Server
  2. TS-1687

Solaris has POSIX capabilities, but TPROXY doesn't know of these.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 5.3.0
    • Component/s: Build, Portability
    • Labels:
      None

      Description

      When compiling ATS for Solaris, enabling the full feature set is impossible because currently the handling of POSIX capabilities (privileges under Solaris) is restricted to Linux:

      checking whether to enable transparent proxy... configure: error: in `/home/i.galic/src/trafficserver':
      configure: error: TPROXY feature requires POSIX capabilities.
      

      Here's the man page documenting privileges(5) - and here's a sample use, in the form of Apache httpd's mod_pvivileges

      Further man relevant man pages: getpriv(2), setppriv(2) getpflags(2), setpflags(2)

      As well as the "highlevel API" (convinience wrappers) such as priv_set(3C)

        Activity

        Igor Galić created issue -
        Igor Galić made changes -
        Field Original Value New Value
        Description When compiling ATS for Solaris, enabling the full feature set is impossible because currently the handling of POSIX capabilities (privileges under Solaris) is restricted to Linux:

        {noformat}
        checking whether to enable transparent proxy... configure: error: in `/home/i.galic/src/trafficserver':
        configure: error: TPROXY feature requires POSIX capabilities.
        {noformat}
        When compiling ATS for Solaris, enabling the full feature set is impossible because currently the handling of POSIX capabilities (privileges under Solaris) is restricted to Linux:

        {noformat}
        checking whether to enable transparent proxy... configure: error: in `/home/i.galic/src/trafficserver':
        configure: error: TPROXY feature requires POSIX capabilities.
        {noformat}

        Here's the man page documenting [privileges(5)|http://illumos.org/man/5/privileges] - and here's a sample use, in the form of Apache httpd's [mod_pvivileges|https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/arch/unix/mod_privileges.c]

        Further man relevant man pages: [getpriv(2), setppriv(2)|http://illumos.org/man/2/setppriv] [getpflags(2), setpflags(2)|http://illumos.org/man/2/setpflags]

        As well as the "highlevel API" (convinience wrappers) such as [priv_set(3C)|http://illumos.org/man/3C/priv_set]
        Hide
        Igor Galić added a comment -

        Since 9.0 Capsicum provides a fine-grained privileges framework for FreeBSD.
        cap_enter(2) and cap_new(2) document the main calls we need to implement a these calls for FreeBSD.

        Show
        Igor Galić added a comment - Since 9.0 Capsicum provides a fine-grained privileges framework for FreeBSD. cap_enter(2) and cap_new(2) document the main calls we need to implement a these calls for FreeBSD.
        Hide
        Igor Galić added a comment -

        Sorry, just ignore anything I ever said about FreeBSD.

        # include <sys/capability.h>
        # include <stdio.h>
        # include <stdlib.h>
        # include <sys/procdesc.h>
        # include <string.h>
        # include <errno.h>
        
        int main (int argc, char *argv[])
        {
          int pfd, pid, cap_fd, status;
        
          pid = pdfork(&pfd, 0);
          if (pid < 0) { 
            fprintf(stderr, "failed to pdfork: (%d): %s\n", errno, strerror(errno));
            exit(EXIT_FAILURE);
          }
          if (pid > 0) {
            cap_fd = cap_new(pfd, CAP_ACCEPT|CAP_CONNECT|CAP_BIND|CAP_LISTEN);
            if (cap_fd < 0) {
              fprintf(stderr, "failed to drop privileges: (%d): %s\n", errno, strerror(errno));
              exit(EXIT_FAILURE);
            }
          }
          status = cap_enter();
          if (status < 0) {
            fprintf(stderr, "failed to enter sandbox: (%d): %s\n", errno, strerror(errno));
            exit(EXIT_FAILURE);
          }
          return 0;
        }
        

        Result:

        igalic@daemonix ~/src/cap % ./daemon
        failed to pdfork: (78): Function not implemented
        
        Show
        Igor Galić added a comment - Sorry, just ignore anything I ever said about FreeBSD. # include <sys/capability.h> # include <stdio.h> # include <stdlib.h> # include <sys/procdesc.h> # include <string.h> # include <errno.h> int main ( int argc, char *argv[]) { int pfd, pid, cap_fd, status; pid = pdfork(&pfd, 0); if (pid < 0) { fprintf(stderr, "failed to pdfork: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } if (pid > 0) { cap_fd = cap_new(pfd, CAP_ACCEPT|CAP_CONNECT|CAP_BIND|CAP_LISTEN); if (cap_fd < 0) { fprintf(stderr, "failed to drop privileges: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } } status = cap_enter(); if (status < 0) { fprintf(stderr, "failed to enter sandbox: (%d): %s\n" , errno, strerror(errno)); exit(EXIT_FAILURE); } return 0; } Result: igalic@daemonix ~/src/cap % ./daemon failed to pdfork: (78): Function not implemented
        Leif Hedstrom made changes -
        Component/s Build [ 12313103 ]
        James Peach made changes -
        Component/s Portability [ 12313106 ]
        Hide
        James Peach added a comment -

        Moving out to sometime until someone with an interest in Solaris volunteers to do this.

        Show
        James Peach added a comment - Moving out to sometime until someone with an interest in Solaris volunteers to do this.
        James Peach made changes -
        Fix Version/s sometime [ 12316277 ]
        Leif Hedstrom made changes -
        Fix Version/s 5.3.0 [ 12324896 ]
        Fix Version/s sometime [ 12316277 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Igor Galić
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:

              Development