summaryrefslogtreecommitdiffstats
path: root/support/export/export.c
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2012-05-09 13:25:34 -0400
committerSteve Dickson <steved@redhat.com>2012-05-09 13:25:34 -0400
commit623a550b16835685ddca3736a9a00218bd582a2f (patch)
tree0ec5faf304e3f4d55f8ad05794fbd615062380d3 /support/export/export.c
parentb6a0ab1dfe85b84ab30a1b656a6bc88b9e025434 (diff)
downloadnfs-utils-623a550b16835685ddca3736a9a00218bd582a2f.tar.gz
nfs-utils-623a550b16835685ddca3736a9a00218bd582a2f.tar.xz
nfs-utils-623a550b16835685ddca3736a9a00218bd582a2f.zip
nfsdcld: add support for dropping capabilities
As a long running daemon, we need to be security-conscious with nfsdcld, so let's prune what it can do down to nearly nothing. We want the daemon to run as root so that it has access to open and reopen the rpc_pipefs pipe, but we don't actually need any of the superuser caps that come with it. Have it drop all capabilities early on. We don't need any of them as long as the fsuid continues to be 0. Once we do that though, check to ensure that the db dir is actually usable by root w/o CAP_DAC_OVERRIDE. Do an access() check on it and throw a warning if it's not. Hopefully that will assist users in debugging if they get the ownership of the DB dir wrong. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'support/export/export.c')
0 files changed, 0 insertions, 0 deletions