From 8e9e4bd4bf0493013e071d9edb5c374c78549c73 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Mon, 21 Aug 2017 20:05:51 +0200
Subject: [PATCH 1/2] bgpd: don't zprivs_terminate() twice

zprivs_terminate() is called from bgp_exit()

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---
 bgpd/bgp_main.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index d1359402df..3bf9ea02d5 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -140,11 +140,8 @@ __attribute__((__noreturn__)) void sigint(void)
 {
 	zlog_notice("Terminating on signal");
 
-	if (!retain_mode) {
+	if (!retain_mode)
 		bgp_terminate();
-		if (bgpd_privs.user) /* NULL if skip_runas flag set */
-			zprivs_terminate(&bgpd_privs);
-	}
 
 	bgp_exit(0);
 

From 4093d47b9913113e1e30f8cce82bd8104a0efa8e Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Mon, 21 Aug 2017 20:17:53 +0200
Subject: [PATCH 2/2] lib: terminate capabilities only if initialized

zprivs_caps_init() is called conditionally, apply the same condition on
terminate.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---
 lib/privs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/privs.c b/lib/privs.c
index eda3fb02d4..cfe7d6d6f8 100644
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -856,7 +856,9 @@ void zprivs_terminate(struct zebra_privs_t *zprivs)
 	}
 
 #ifdef HAVE_CAPABILITIES
-	zprivs_caps_terminate();
+	if (zprivs->user || zprivs->group || zprivs->cap_num_p
+	    || zprivs->cap_num_i)
+		zprivs_caps_terminate();
 #else  /* !HAVE_CAPABILITIES */
 	/* only change uid if we don't have the correct one */
 	if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) {