Signed-off-by: Pierre Habouzit <madcoder@debian.org>
-int drop_privilegies(const char *user, const char *group)
+int drop_privileges(const char *user, const char *group)
{
if (!geteuid()) {
struct passwd *pw;
{
if (!geteuid()) {
struct passwd *pw;
int accept_nonblock(int fd);
int daemon_detach(void);
int accept_nonblock(int fd);
int daemon_detach(void);
-int drop_privilegies(const char *user, const char *group);
+int drop_privileges(const char *user, const char *group);
#define DAEMON_NAME "pfix-srsd"
#define DEFAULT_ENCODER_PORT 10000
#define DEFAULT_DECODER_PORT 10001
#define DAEMON_NAME "pfix-srsd"
#define DEFAULT_ENCODER_PORT 10000
#define DEFAULT_DECODER_PORT 10001
+#define RUNAS_USER "nobody"
+#define RUNAS_GROUP "nogroup"
+
#define __tostr(x) #x
#define STR(x) __tostr(x)
#define __tostr(x) #x
#define STR(x) __tostr(x)
" -d <port> port to listen to for decoding requests\n"
" (default: "STR(DEFAULT_DECODER_PORT)")\n"
" -p <pidfile> file to write our pid to\n"
" -d <port> port to listen to for decoding requests\n"
" (default: "STR(DEFAULT_DECODER_PORT)")\n"
" -p <pidfile> file to write our pid to\n"
+ " -u unsafe mode: don't drop privilegies\n"
int main(int argc, char *argv[])
{
int main(int argc, char *argv[])
{
int port_enc = DEFAULT_ENCODER_PORT;
int port_dec = DEFAULT_DECODER_PORT;
const char *pidfile = NULL;
int port_enc = DEFAULT_ENCODER_PORT;
int port_dec = DEFAULT_DECODER_PORT;
const char *pidfile = NULL;
- for (int c = 0; (c = getopt(argc, argv, "he:d:p:")) >= 0; ) {
+ for (int c = 0; (c = getopt(argc, argv, "he:d:p:u")) >= 0; ) {
switch (c) {
case 'e':
port_enc = atoi(optarg);
switch (c) {
case 'e':
port_enc = atoi(optarg);
case 'p':
pidfile = optarg;
break;
case 'p':
pidfile = optarg;
break;
+ case 'u':
+ unsafe = true;
+ break;
default:
usage();
return EXIT_FAILURE;
default:
usage();
return EXIT_FAILURE;
fprintf(f, "%d\n", getpid());
fflush(f);
}
fprintf(f, "%d\n", getpid());
fflush(f);
}
+
+ if (!unsafe && drop_privileges(RUNAS_USER, RUNAS_GROUP) < 0) {
+ syslog(LOG_CRIT, "unable to drop privileges");
+ return EXIT_FAILURE;
+ }
+
if (daemon_detach() < 0) {
syslog(LOG_CRIT, "unable to fork");
return EXIT_FAILURE;
}
if (daemon_detach() < 0) {
syslog(LOG_CRIT, "unable to fork");
return EXIT_FAILURE;
}
if (f) {
rewind(f);
ftruncate(fileno(f), 0);
fprintf(f, "%d\n", getpid());
if (f) {
rewind(f);
ftruncate(fileno(f), 0);
fprintf(f, "%d\n", getpid());
}
res = main_loop(srs, argv[optind], port_enc, port_dec);
}
res = main_loop(srs, argv[optind], port_enc, port_dec);
- if (pidfile) {
- unlink(pidfile);
+ if (f) {
+ rewind(f);
+ ftruncate(fileno(f), 0);
+ fclose(f);
+ f = NULL;