[PATCH] Remove need for FOWNER kernel capability

[Patrick Uiterwijk]

Hi,

As explained in ticket #1663, currently varnish needs the fowner kernel capability,
because it first fchowns the compiled policy module and then chmods it to 0755.
This is most likely caused by a reconsideration of ticket's #1072 discussions.

This is a problem for systems running selinux, as it will deny that capability
unless it gets explicitely allowed by policy.

Attached is a patch to remove the chown, since the compiled module is already owned 
by the unprivileged user.

Please let me know what you think of this.

With kind regards,
Patrick Uiterwijk
-------------- next part --------------
From 42610801bd1ea72833b6ddc247df6f3a49520153 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk at redhat.com>
Date: Wed, 21 Jan 2015 19:41:16 +0100
Subject: [PATCH] Remove the chown, since the file is already owned by the
 unprivileged user.

---
 bin/varnishd/mgt/mgt_vcc.c | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c
index f18fe41..57f9fe2 100644
--- a/bin/varnishd/mgt/mgt_vcc.c
+++ b/bin/varnishd/mgt/mgt_vcc.c
@@ -306,16 +306,6 @@ mgt_run_cc(const char *vcl, struct vsb *sb, int C_flag, unsigned *status)
 	if (!subs)
 		subs = VSUB_run(sb, run_dlopen, of, "dlopen", 10);
 
-	/* Ensure the file is readable to the unprivileged user */
-	if (!subs) {
-		i = chmod(of, 0755);
-		if (i) {
-			VSB_printf(sb, "Failed to set permissions on %s: %s",
-			    of, strerror(errno));
-			subs = 2;
-		}
-	}
-
 	if (subs) {
 		(void)unlink(of);
 		*status = subs;
-- 
2.1.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150121/2bcef010/attachment.pgp>