tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Privilege dropping for rtadvd
On 27/06/2013 16:53, Roy Marples wrote:
On 27/06/2013 16:35, logan%elandsys.com@localhost wrote:
Well, I've already starting working on a diff. Would you be
interested
in reviewing it :-) ?
Sure!
I didn't review a diff :(
Here's one I cooked up in my spare time.
Comments?
Any objections or I'll commit this soonish.
Roy
Index: usr.sbin/rtadvd/rtadvd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/rtadvd/rtadvd.c,v
retrieving revision 1.43
diff -u -p -r1.43 rtadvd.c
--- usr.sbin/rtadvd/rtadvd.c 28 Jun 2013 07:59:32 -0000 1.43
+++ usr.sbin/rtadvd/rtadvd.c 28 Jun 2013 11:38:35 -0000
@@ -58,6 +58,7 @@
#include <util.h>
#endif
#include <poll.h>
+#include <pwd.h>
#include "rtadvd.h"
#include "rrenum.h"
@@ -177,6 +178,7 @@ main(int argc, char *argv[])
struct timeval *timeout;
int i, ch;
int fflag = 0, logopt;
+ struct passwd *pw;
/* get command line options and arguments */
#define OPTIONS "c:dDfM:Rs"
@@ -260,6 +262,37 @@ main(int argc, char *argv[])
} else
set[1].fd = -1;
+ errno = 0;
+ syslog(LOG_INFO, "<%s> dropping privileges to %s",
+ __func__, RTADVD_USER);
+ if ((pw = getpwnam(RTADVD_USER)) == NULL) {
+ /* Preserve the old behaviour if the user does not exist */
+ if (errno == 0) {
+ syslog(LOG_WARNING,
+ "<%s> user does not exist, not dropping privileges",
+ __func__);
+ goto setsig;
+ }
+ syslog(LOG_ERR, "getpwnam: %s: %m", RTADVD_USER);
+ exit(1);
+ }
+ if (chroot(pw->pw_dir) == -1) {
+ syslog(LOG_ERR, "chroot: %s: %m", pw->pw_dir);
+ exit(1);
+ }
+ if (chdir("/") == -1) {
+ syslog(LOG_ERR, "chdir(\"/\")");
+ exit(1);
+ }
+ if (setgroups(1, &pw->pw_gid) == -1 ||
+ setgid(pw->pw_gid) == -1 ||
+ setuid(pw->pw_uid) == -1)
+ {
+ syslog(LOG_ERR, "failed to drop privileges: %m");
+ exit(1);
+ }
+
+setsig:
signal(SIGINT, set_die);
signal(SIGTERM, set_die);
signal(SIGHUP, set_reconf);
Index: usr.sbin/rtadvd/rtadvd.h
===================================================================
RCS file: /cvsroot/src/usr.sbin/rtadvd/rtadvd.h,v
retrieving revision 1.12
diff -u -p -r1.12 rtadvd.h
--- usr.sbin/rtadvd/rtadvd.h 13 Dec 2012 15:36:36 -0000 1.12
+++ usr.sbin/rtadvd/rtadvd.h 28 Jun 2013 11:38:35 -0000
@@ -30,6 +30,8 @@
* SUCH DAMAGE.
*/
+#define RTADVD_USER "_rtadvd"
+
#define ALLNODES "ff02::1"
#define ALLROUTERS_LINK "ff02::2"
#define ALLROUTERS_SITE "ff05::2"
Index: etc/group
===================================================================
RCS file: /cvsroot/src/etc/group,v
retrieving revision 1.31
diff -u -p -r1.31 group
--- etc/group 7 Jun 2013 06:35:11 -0000 1.31
+++ etc/group 28 Jun 2013 11:38:35 -0000
@@ -25,6 +25,7 @@ _tests:*:26:
_tcpdump:*:27:
_tss:*:28:
_gpio:*:29:
+_rtadvd:*:30:
guest:*:31:root
nobody:*:39:
utmp:*:45:
Index: etc/master.passwd
===================================================================
RCS file: /cvsroot/src/etc/master.passwd,v
retrieving revision 1.46
diff -u -p -r1.46 master.passwd
--- etc/master.passwd 25 Apr 2012 16:11:26 -0000 1.46
+++ etc/master.passwd 28 Jun 2013 11:38:35 -0000
@@ -18,5 +18,6 @@ _mdnsd:*:25:25::0:0:& pseudo-user:/nonex
_tests:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
_tss:*:28:28::0:0:& pseudo-user:/var/tpm:/sbin/nologin
+_rtadvd:*:30:30::0:0:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
Index: etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.145
diff -u -p -r1.145 special
--- etc/mtree/special 16 May 2013 07:37:05 -0000 1.145
+++ etc/mtree/special 28 Jun 2013 11:38:35 -0000
@@ -395,6 +395,10 @@
./var/chroot/ntpd/var/db type=dir mode=0775 gname=ntpd
./var/chroot/ntpd/var/run type=dir mode=0775 gname=ntpd
./var/chroot/pflogd type=dir mode=0755
+./var/chroot/rtadvd type=dir mode=0755
+./var/chroot/rtadvd/etc type=dir mode=0755
+./var/chroot/rtadvd/var type=dir mode=0755
+./var/chroot/rtadvd/var/run type=dir mode=0775 gname=_rtadvd
./var/chroot/sshd type=dir mode=0755
./var/chroot/tcpdump type=dir mode=0755
./var/chroot/tftp-proxy type=dir mode=0755
Index: etc/rc.d/rtadvd
===================================================================
RCS file: /cvsroot/src/etc/rc.d/rtadvd,v
retrieving revision 1.7
diff -u -p -r1.7 rtadvd
--- etc/rc.d/rtadvd 13 Dec 2012 15:51:17 -0000 1.7
+++ etc/rc.d/rtadvd 28 Jun 2013 11:38:35 -0000
@@ -9,20 +9,51 @@
$_rc_subr_loaded . /etc/rc.subr
-name="rtadvd"
+name=rtadvd
rcvar=$name
-command="/usr/sbin/${name}"
+command="/usr/sbin/$name"
pidfile="/var/run/$name.pid"
-extra_commands="reload"
-start_precmd="rtadvd_precmd"
+extra_commands=reload
+start_precmd=rtadvd_prestart
+reload_precmd=rtadvd_prereload
-rtadvd_precmd()
+rtadvd_prereload()
{
- if [ "$ip6mode" != "router" ]; then
+ local chdir="$(getent passwd _rtadvd | cut -d: -f6)"
+ local conf=/etc/rtadvd.conf myflags o confdir
+
+ [ -z "$chdir" -o "$chdir" = / ] && return 0
+
+ if [ -n "$flags" ]; then
+ myflags=$flags
+ else
+ eval myflags=\$${name}_flags
+ fi
+ set -- ${myflags}
+ while getopts c:dDfM:Rs o; do
+ case "$1" in
+ -c) conf="$OPTARG";;
+ esac
+ shift
+ done
+ confdir=$(dirname "$conf")
+
+ echo "$name: copying $conf to $chdir$conf"
+ cp "$conf" "$chdir$conf"
+
+ # Provide a link to the chrooted dump file
+ ln -snf "$chdir/var/run/$name.dump" /var/run
+}
+
+rtadvd_prestart()
+{
+ if [ "$ip6mode" != router ]; then
warn \
"${name} cannot be used on IPv6 host, only on an IPv6 router."
return 1
fi
+
+ rtadvd_prereload
}
load_rc_config $name
Home |
Main Index |
Thread Index |
Old Index