sslh-fork drops all capabilities after connecting to server side

2025-04-13 07:37:15 +03:00 · 2021-05-09 15:46:25 +02:00 · 2021-05-09 15:46:25 +02:00 · 8e130882fc
commit 8e130882fc
parent 030ef64b99
3 changed files with 7 additions and 1 deletions
--- a/5
+++ b/5
@ -20,7 +20,10 @@ vNEXT:
 	Warn about unknown settings in the configuration
 	file.

-	Added per-protocol `transparent` option.
+	Added per-protocol `transparent` option. The option
+	requires CAP_NET_ADMIN to work. sslh-fork drops the
+	capability after creating the server-side
+	transparent socket.

 v1.21: 11JUL2020
 	WARNING:
--- a/common.h
+++ b/common.h
@ -136,6 +136,7 @@ int check_access_rights(int in_socket, const char* service);
 void setup_signals(void);
 void setup_syslog(const char* bin_name);
 void drop_privileges(const char* user_name, const char* chroot_path);
+void set_capabilities(int cap_net_admin);
 void write_pid_file(const char* pidfile);
 void log_message(int type, const char* msg, ...);
 void dump_connection(struct connection *cnx);
--- a/sslh-fork.c
+++ b/sslh-fork.c
@ -114,6 +114,8 @@ void start_shoveler(int in_socket)
   out_socket = connect_addr(&cnx, in_socket);
   CHECK_RES_DIE(out_socket, "connect");

+   set_capabilities(0);
+
   cnx.q[1].fd = out_socket;

   get_connection_desc(&desc, &cnx);