diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake index c53e1de..f29ec47 100644 --- a/ConfigureChecks.cmake +++ b/ConfigureChecks.cmake @@ -13,3 +13,4 @@ check_include_files(sys/exec.h HAVE_SYS_EXEC_H) check_function_exists(pstat HAVE_PSTAT) check_function_exists(setproctitle HAVE_SETPROCTITLE) check_library_exists(socket connect "" HAVE_SOCKET_LIBRARY) +check_library_exists(cap cap_init "" HAVE_CAPABILITIES) diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt index 6bfc496..0c513de 100644 --- a/src/start_kdeinit/CMakeLists.txt +++ b/src/start_kdeinit/CMakeLists.txt @@ -9,6 +9,6 @@ if (CMAKE_SYSTEM_NAME MATCHES Linux) set(KDEINIT_OOM_PROTECT 1) install(CODE " set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\") - EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\") + EXECUTE_PROCESS(COMMAND sh -c \"setcap 'CAP_SYS_RESOURCE=+ep' '\${START_KDEINIT_PATH}'\") ") endif () diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c index 3c733e7..26d2843 100644 --- a/src/start_kdeinit/start_kdeinit.c +++ b/src/start_kdeinit/start_kdeinit.c @@ -27,6 +27,10 @@ #include #include #include +#ifdef HAVE_CAPABILITIES +#include +#endif + #define EXECUTE CMAKE_INSTALL_PREFIX"/"BIN_INSTALL_DIR "/kdeinit5" @@ -98,6 +102,10 @@ int main(int argc, char **argv) unsigned i; char **orig_environ = NULL; char header[ 7 ]; +#ifdef HAVE_CAPABILITIES + cap_t caps; +#endif + if (pipe(pipes) < 0) { perror("pipe()"); return 1; @@ -111,6 +119,14 @@ int main(int argc, char **argv) perror("fork()"); return 1; default: /* parent, drop privileges and exec */ +#ifdef HAVE_CAPABILITIES + caps = cap_init(); + if (cap_set_proc(caps) < 0) { + perror("cap_set_proc()"); + return 1; + } + cap_free(caps); +#endif if (setgid(getgid())) { perror("setgid()"); return 1;