From 156f6f318daa782cd209c90ed69a0d24595af5d1 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Fri, 6 May 2011 14:18:00 +0200 Subject: [PATCH] Accept to run if ipc_lock capability is not available We print a warning about potential use of unsecure memory, but still run (and drop unneeded capabilities if we have some). This is better than nothing. https://bugzilla.gnome.org/show_bug.cgi?id=649560 --- daemon/gkd-capability.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c index e15200a..92c000c 100644 --- a/daemon/gkd-capability.c +++ b/daemon/gkd-capability.c @@ -42,6 +42,12 @@ early_error (const char *err_string) exit (1); } +static void +early_warning (const char *warn_string) +{ + fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string); +} + #endif /* HAVE_LIPCAPNG */ /* @@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void) early_error ("error getting process capabilities"); break; case CAPNG_NONE: - early_error ("insufficient process capabilities"); + early_warning ("insufficient process capabilities, unsecure memory might get used"); break; case CAPNG_PARTIAL: /* File system based capabilities */ if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { - early_error ("insufficient process capabilities"); + early_warning ("insufficient process capabilities, unsecure memory might get used"); + /* Drop all capabilities */ + capng_clear (CAPNG_SELECT_BOTH); + capng_apply (CAPNG_SELECT_BOTH); break; } -- 1.7.4.2