charybdis: Implement privsep()
This daemon shouldn't run as root. With privsep() we can handle in a regular fashion changing user and group to a custom user.
This commit is contained in:
Kamil Rytarowski
parent
e92c24e6e1
commit
e8ca8ea56b
|
|
@ -16,6 +16,16 @@ GNU_CONFIGURE= yes
|
|||
|
||||
BUILD_DEFS+= VARBASE
|
||||
|
||||
# Put this in mk/defaults/mk.conf
|
||||
CHARYBDIS_USER?= charybdis
|
||||
CHARYBDIS_GROUP?= charybdis
|
||||
|
||||
PKG_USERS_VARS+= CHARYBDIS_USER
|
||||
PKG_GROUPS_VARS+= CHARYBDIS_GROUP
|
||||
|
||||
PKG_USERS= ${CHARYBDIS_USER}:${CHARYBDIS_GROUP}
|
||||
PKG_GROUPS= ${CHARYBDIS_GROUP}
|
||||
|
||||
CHARYBDIS_PID_DIR= ${VARBASE}/run # default directory for PID files
|
||||
FILES_SUBST+= CHARYBDIS_PID_DIR=${CHARYBDIS_PID_DIR}
|
||||
|
||||
|
|
@ -25,6 +35,8 @@ EGDIR= ${PREFIX}/share/examples/charybdis
|
|||
|
||||
INSTALL_MAKE_FLAGS+= sysconfdir=${EGDIR}
|
||||
|
||||
CFLAGS+= -DCHARYBDIS_USER='"${CHARYBDIS_USER}"'
|
||||
|
||||
pre-configure:
|
||||
${RUN} cd ${WRKSRC} && ./autogen.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -4,4 +4,5 @@ SHA1 (charybdis-4.0.tar.gz) = 57957259f00e8c20ae22adee2d0648a8d017fe55
|
|||
RMD160 (charybdis-4.0.tar.gz) = 8abca605db25eb5b8aea95588c6819eb3fd0e1fa
|
||||
SHA512 (charybdis-4.0.tar.gz) = c65d1ee4a04a432694edaa2f58ec69a904de1f6195f6880a52d28c893c46d67bf2ed253f356dd8507b31d1850ce53b3eb18cf800638dc2389770cc5d2ae78924
|
||||
Size (charybdis-4.0.tar.gz) = 2681395 bytes
|
||||
SHA1 (patch-ircd_ircd.c) = df97bc22a953086430bc752ecab601b55714683a
|
||||
SHA1 (patch-librb_configure.ac) = 078ed443d188eb2be7c61293aa19ed23b92331b5
|
||||
|
|
|
|||
|
|
@ -0,0 +1,51 @@
|
|||
$NetBSD$
|
||||
|
||||
--- ircd/ircd.c.orig 2017-10-20 22:29:47.000000000 +0000
|
||||
+++ ircd/ircd.c
|
||||
@@ -66,6 +66,10 @@
|
||||
#include "authproc.h"
|
||||
#include "operhash.h"
|
||||
|
||||
+#include <sys/param.h>
|
||||
+#include <unistd.h>
|
||||
+#include <pwd.h>
|
||||
+
|
||||
static void
|
||||
ircd_die_cb(const char *str) __attribute__((noreturn));
|
||||
|
||||
@@ -617,6 +621,22 @@ seed_random(void *unused)
|
||||
srand(seed);
|
||||
}
|
||||
|
||||
+static int
|
||||
+privdrop(void)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+
|
||||
+ if ((pw = getpwnam(CHARYBDIS_USER)) == NULL) {
|
||||
+ fprintf(stderr, "unknown user %s", CHARYBDIS_USER);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) || seteuid(pw->pw_gid))
|
||||
+ return -1;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* main
|
||||
*
|
||||
@@ -635,8 +655,10 @@ charybdis_main(int argc, char * const ar
|
||||
/* Check to see if the user is running us as root, which is a nono */
|
||||
if(geteuid() == 0)
|
||||
{
|
||||
- fprintf(stderr, "Don't run ircd as root!!!\n");
|
||||
- return -1;
|
||||
+ if (privdrop() != 0) {
|
||||
+ fprintf(stderr, "Don't run ircd as root!!!\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
}
|
||||
#endif
|
||||
|
||||
Loading…
Reference in New Issue