diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2011-05-15 16:29:44 +0200 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2011-05-15 16:29:44 +0200 |
commit | e8b89a610443f32b901801668cbae634e13f3e68 (patch) | |
tree | ee0f68cc90ad6df6c2d44fa8a9cca2fc449c0071 /sysdep | |
parent | 1bc2695744c729804af32d48ce68854cba4de8f7 (diff) | |
download | bird-e8b89a610443f32b901801668cbae634e13f3e68.tar bird-e8b89a610443f32b901801668cbae634e13f3e68.zip |
Update and document the privilege restriction.
Diffstat (limited to 'sysdep')
-rw-r--r-- | sysdep/linux/syspriv.h | 5 | ||||
-rw-r--r-- | sysdep/unix/main.c | 47 |
2 files changed, 37 insertions, 15 deletions
diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h index bfe19ac..b2cdde8 100644 --- a/sysdep/linux/syspriv.h +++ b/sysdep/linux/syspriv.h @@ -48,15 +48,20 @@ drop_uid(uid_t uid) CAP_TO_MASK(CAP_NET_ADMIN) | CAP_TO_MASK(CAP_NET_RAW); + /* change effective user ID to be able to switch to that + user ID completely after dropping CAP_SETUID */ if (seteuid(uid) < 0) die("seteuid: %m"); + /* restrict the capabilities */ if (set_capabilities(caps) < 0) die("capset: %m"); + /* keep the capabilities after dropping root ID */ if (prctl(PR_SET_KEEPCAPS, 1) < 0) die("prctl: %m"); + /* completely switch to the unprivileged user ID */ if (setresuid(uid, uid, uid) < 0) die("setresuid: %m"); } diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c index 744062b..610d207 100644 --- a/sysdep/unix/main.c +++ b/sysdep/unix/main.c @@ -383,7 +383,7 @@ cli_connect(sock *s, int size UNUSED) } static void -cli_init_unix(void) +cli_init_unix(uid_t use_uid, gid_t use_gid) { sock *s; @@ -393,6 +393,13 @@ cli_init_unix(void) s->rx_hook = cli_connect; s->rbsize = 1024; sk_open_unix(s, path_control_socket); + + if (use_uid || use_gid) + if (chown(path_control_socket, use_uid, use_gid) < 0) + die("chown: %m"); + + if (chmod(path_control_socket, 0660) < 0) + die("chmod: %m"); } /* @@ -503,9 +510,13 @@ get_uid(const char *s) { struct passwd *pw; char *endptr; - + long int rv; + + if (!s) + return 0; + errno = 0; - long int rv = strtol(s, &endptr, 10); + rv = strtol(s, &endptr, 10); if (!errno && !*endptr) return rv; @@ -522,9 +533,13 @@ get_gid(const char *s) { struct group *gr; char *endptr; + long int rv; + + if (!s) + return 0; errno = 0; - long int rv = strtol(s, &endptr, 10); + rv = strtol(s, &endptr, 10); if (!errno && !*endptr) return rv; @@ -601,24 +616,26 @@ main(int argc, char **argv) log_init_debug(""); log_switch(debug_flag, NULL, NULL); - if (use_group) - drop_gid(get_gid(use_group)); - - if (use_user) - drop_uid(get_uid(use_user)); - - if (!parse_and_exit) - test_old_bird(path_control_socket); - - DBG("Initializing.\n"); resource_init(); olock_init(); io_init(); rt_init(); if_init(); + uid_t use_uid = get_uid(use_user); + gid_t use_gid = get_gid(use_group); + if (!parse_and_exit) - cli_init_unix(); + { + test_old_bird(path_control_socket); + cli_init_unix(use_uid, use_gid); + } + + if (use_gid) + drop_gid(use_gid); + + if (use_uid) + drop_uid(use_uid); protos_build(); proto_build(&proto_unix_kernel); |