diff -ur openslp-dfsg-2.0.0/configure.ac openslp-dfsg-2.0.0-linux-cap/configure.ac --- openslp-dfsg-2.0.0/configure.ac 2017-07-21 09:01:06.000000000 +0000 +++ openslp-dfsg-2.0.0-linux-cap/configure.ac 2017-08-07 13:36:54.202541000 +0000 @@ -34,6 +34,11 @@ AC_CHECK_LIB([nsl], [gethostbyname]) AC_CHECK_LIB([m], [log10]) AC_CHECK_LIB([pthread], [pthread_create]) +case $host_os in + linux* ) + AC_CHECK_LIB([cap], [cap_get_proc]) + ;; +esac # # Checks for header files diff -ur openslp-dfsg-2.0.0/slpd/slpd_main.c openslp-dfsg-2.0.0-linux-cap/slpd/slpd_main.c --- openslp-dfsg-2.0.0/slpd/slpd_main.c 2017-07-21 09:01:06.000000000 +0000 +++ openslp-dfsg-2.0.0-linux-cap/slpd/slpd_main.c 2017-08-07 13:42:45.802541000 +0000 @@ -58,6 +58,10 @@ #include "slp_xid.h" #include "slp_net.h" +#if defined(LINUX) +# include +#endif + int G_SIGALRM; int G_SIGTERM; int G_SIGHUP; @@ -473,6 +477,25 @@ */ static int DropPrivileges() { +#if defined(LINUX) + /* On Linux, binding to the lower port numbers requires root access or + CAP_NET_BIND_SERVICE. Since we are about to drop root, grab the + capability flag that we need first. */ + { + cap_value_t list[1] = {CAP_NET_BIND_SERVICE}; + cap_t c = cap_get_proc(); + + if (c) + { + if (!cap_set_flag (c, CAP_PERMITTED, 1, list, CAP_SET)) + { + cap_set_proc (c); + } + cap_free (c); + } + } +#endif + #ifndef SETUIDS /* suid to daemon */ @@ -485,14 +508,15 @@ /* TODO: warn if 'daemon' user has insufficient privileges and ipv6 requested.*/ /* TODO: allow different user to be specified as process owner. */ - - struct passwd * pwent = getpwnam("daemon"); - if (pwent) { - if (setgroups(1, &pwent->pw_gid) < 0 || setgid(pwent->pw_gid) < 0 - || setuid(pwent->pw_uid) < 0) + struct passwd * pwent = getpwnam("daemon"); + if (pwent) { - /* TODO: should we log here and return fail */ + if (setgroups(1, &pwent->pw_gid) < 0 || setgid(pwent->pw_gid) < 0 + || setuid(pwent->pw_uid) < 0) + { + /* TODO: should we log here and return fail */ + } } } #endif