diff --git a/autogen.sh b/autogen.sh index 336463c9c7..a00ec3037e 100755 --- a/autogen.sh +++ b/autogen.sh @@ -9,4 +9,5 @@ autoreconf -v -f --install || exit 1 --disable-shared \ --without-libpam \ --with-selinux \ + --enable-fcaps=auto \ "$@" diff --git a/configure.ac b/configure.ac index aaedf52933..e91f3bf05d 100644 --- a/configure.ac +++ b/configure.ac @@ -357,6 +357,24 @@ if test "$enable_subids" != "no"; then fi AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno") +AC_ARG_ENABLE(fcaps, + [AC_HELP_STRING([--enable-fcaps], + [use file capabilities for newuidmap@<:@default=yes@:>@])], + [enable_fcaps="${enableval}"], + [enable_fcaps="maybe"] +) + +if test "$enable_fcaps" != "no"; then + AC_CHECK_PROGS(capcmd, "setcap") + if test "x$capcmd" = "x" ; then + if test "x$enable_fcaps" = "xyes" ; then + AC_MSG_ERROR([setcap command not available]) + fi + enable_fcaps="no" + fi +fi +AM_CONDITIONAL(ENABLE_FCAPS, test "x$enable_fcaps" != "xno") + AC_SUBST(LIBCRYPT) AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt], [AC_MSG_ERROR([crypt() not found])]) diff --git a/src/Makefile.am b/src/Makefile.am index 3c98a8d363..8c7e773da6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -52,6 +52,7 @@ usbin_PROGRAMS = \ # id and groups are from gnu, sulogin from sysvinit noinst_PROGRAMS = id sulogin +fcapubins = suidbins = su suidubins = chage chfn chsh expiry gpasswd newgrp if !WITH_TCB @@ -61,8 +62,12 @@ if ACCT_TOOLS_SETUID suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod endif if ENABLE_SUBIDS +if ENABLE_FCAPS +fcapubins += newgidmap newuidmap +else suidubins += newgidmap newuidmap endif +endif if WITH_TCB shadowsgidubins = passwd @@ -129,6 +134,9 @@ install-am: all-am for i in $(suidbins); do \ chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \ done + for i in $(fcapubins); do \ + setcap cap_setuid,cap_setgid=pe $(DESTDIR)$(ubindir)/$$i; \ + done for i in $(suidubins); do \ chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \ done