From 92232dab33c6f1212e5b0b30cf590ad42246cffa Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Mon, 1 Oct 2007 09:07:10 +0000
Subject: [PATCH] fixed stuid()/setgid() and error handling

---
 src/charon/daemon.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index c9c632def..2d31e7ad6 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -231,10 +231,16 @@ static void drop_capabilities(private_daemon_t *this, bool full)
 	if (full)
 	{
 #		if IPSEC_GID
-			setgid(IPSEC_GID);
+		if (setgid(IPSEC_GID) != 0)
+		{
+			kill_daemon(this, "changing GID to unprivileged group failed");
+		}
 #		endif
 #		if IPSEC_UID
-			setuid(IPSEC_UID);
+		if (setuid(IPSEC_UID) != 0)
+		{
+			kill_daemon(this, "changing UID to unprivileged user failed");
+		}
 #		endif
 	}
 	else
@@ -247,6 +253,10 @@ static void drop_capabilities(private_daemon_t *this, bool full)
 		keep |= (1<<CAP_DAC_READ_SEARCH);
 		/* CAP_CHOWN to change file permissions (socket permissions) */
 		keep |= (1<<CAP_CHOWN);
+		/* CAP_SETUID to call setuid()  */
+		keep |= (1<<CAP_SETUID);
+		/* CAP_SETGID to call setgid() */
+		keep |= (1<<CAP_SETGID);
 	}
 
 	hdr.version = _LINUX_CAPABILITY_VERSION;