Merge pull request #136 from giuseppe/fcap-newuidmap-newgidmap

newuidmap/newgidmap: install with file capabilities
2018-10-27 11:26:31 -05:00 · 2018-10-27 11:26:31 -05:00 · bb3f810611
commit bb3f810611
parent d5255da20b 70971457b7
2 changed files with 22 additions and 0 deletions
--- a/configure.ac
+++ b/configure.ac
@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
 fi
 AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")

+
+AC_ARG_WITH(fcaps,
+	[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
+	[with_fcaps=$withval], [with_fcaps=no])
+AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
+
+if test "x$with_fcaps" = "xyes"; then
+	AC_CHECK_PROGS(capcmd, "setcap")
+	if test "x$capcmd" = "x" ; then
+		AC_MSG_ERROR([setcap command not available])
+	fi
+fi
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@ -684,4 +697,5 @@ echo "	SHA passwords encryption:	$with_sha_crypt"
 echo "	nscd support:			$with_nscd"
 echo "	sssd support:			$with_sssd"
 echo "	subordinate IDs support:	$enable_subids"
+echo "	use file caps:			$with_fcaps"
 echo
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
 suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
+if !FCAPS
 suidubins += newgidmap newuidmap
 endif
+endif

 if WITH_TCB
 shadowsgidubins = passwd
@ -138,3 +140,9 @@ if WITH_TCB
 		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 endif
+if ENABLE_SUBIDS
+if FCAPS
+	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
+	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+endif
+endif