git.proxmox.com Git - mirror_iproute2.git/commit

author	Luca Boccassi <bluca@debian.org>
	Tue, 27 Mar 2018 17:48:55 +0000 (18:48 +0100)
committer	Stephen Hemminger <stephen@networkplumber.org>
	Tue, 27 Mar 2018 18:48:23 +0000 (11:48 -0700)
commit	ba2fc55b99f8363c80ce36681bc1ec97690b66f5
tree	2627ee909111f1291b72caa53aa8d60e27139120	tree
parent	b2038cc0b2403e8c5126cfcf45f6ee48ac549ad0	commit \| diff

Drop capabilities if not running ip exec vrf with libcap

ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands like
ping as non-root or non-cap-enabled due to this requirement.
To allow users and administrators to safely add the required
capabilities to the binary, drop all capabilities on start if not
invoked with "vrf exec".
Update the manpage with the requirements.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

configure		diff \| blob \| blame \| history
include/utils.h		diff \| blob \| blame \| history
ip/ip.c		diff \| blob \| blame \| history
ip/ipvrf.c		diff \| blob \| blame \| history
lib/utils.c		diff \| blob \| blame \| history
man/man8/ip-vrf.8		diff \| blob \| blame \| history