Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 72905 Details for
Bug 112260
net-proxy/bfilter - version bump to 0.10.1
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
bfilter-0.10.1-droppriv.patch
bfilter-0.10.1-droppriv.patch (text/plain), 3.56 KB, created by
Alan Swanson
on 2005-11-14 14:30:29 UTC
(
hide
)
Description:
bfilter-0.10.1-droppriv.patch
Filename:
MIME Type:
Creator:
Alan Swanson
Created:
2005-11-14 14:30:29 UTC
Size:
3.56 KB
patch
obsolete
>diff -ur bfilter-0.10.1/main/daemon/Daemon.cpp bfilter-0.10.1-droppriv/main/daemon/Daemon.cpp >--- bfilter-0.10.1/main/daemon/Daemon.cpp 2005-10-10 23:52:20.000000000 +0100 >+++ bfilter-0.10.1-droppriv/main/daemon/Daemon.cpp 2005-11-14 20:05:40.000000000 +0000 >@@ -52,6 +52,10 @@ > #include <deque> > #include <list> > #include <cstdlib> >+#include <sys/stat.h> >+#include <pwd.h> >+#include <grp.h> >+#include <netdb.h> > > namespace po = boost::program_options; > using namespace std; >@@ -340,6 +344,69 @@ > } > > bool >+Daemon::droppriv(std::string const& chrootdir, std::string const& user, std::string const& group) >+{ >+ uid_t uid = 0; >+ uid_t gid = 0; >+ >+ if (!chrootdir.empty() || !user.empty() || !group.empty()) { >+ struct stat stat_r; >+ struct passwd *user_r; >+ struct group *group_r; >+ >+ if (getuid()) { >+ std::cerr << "Cannot lower privileges, not running as root" << std::endl; >+ return false; >+ } >+ if (!chrootdir.empty() && stat(chrootdir.c_str(), &stat_r)) { >+ if (!S_ISDIR(stat_r.st_mode)) { >+ std::cerr << "Cannot lower privileges, chroot directory does not exist" << std::endl; >+ return false; >+ } >+ } >+ if (!user.empty()) { >+ user_r = getpwnam(user.c_str()); >+ if (user_r) { >+ uid = user_r->pw_uid; >+ } else { >+ std::cerr << "Cannot lower privileges, unknown user" << std::endl; >+ return false; >+ } >+ } >+ if (!group.empty()) { >+ group_r = getgrnam(group.c_str()); >+ if (group_r) { >+ gid = group_r->gr_gid; >+ } else { >+ std::cerr << "Cannot lower privileges, unknown group" << std::endl; >+ return false; >+ } >+ } >+ } >+ >+ if (!chrootdir.empty()) { >+ // Using gethostbyname before chrooting means that the chroot >+ // directory can be empty (no etc/resolv.conf or dynamically >+ // loaded lib/libnss* libraries). Using localhost here to >+ // prevent remote name resolution does not work. >+ gethostbyname("slashdot.org"); >+ if (chroot(chrootdir.c_str())) { >+ std::cerr << "Cannot lower privileges, chroot directory no longer exists" << std::endl; >+ return false; >+ } >+ chdir("/"); >+ } >+ if (gid) { >+ setgroups(0, NULL); >+ setgid(gid); >+ } >+ if (uid) { >+ setuid(uid); >+ } >+ return true; >+} >+ >+bool > Daemon::run(bool nodaemon) > { > if (!nodaemon) { >@@ -447,13 +514,19 @@ > { > bool nodaemon = false; > std::string confdir = string(SYSCONFDIR) + "/bfilter"; >- >+ std::string chrootdir; >+ std::string user; >+ std::string group; >+ > try { > po::options_description desc("Allowed options"); > desc.add_options() > ("help,h", "Print help message") > ("version,v", "Print version") > ("confdir,c", po::value<string>(&confdir), "Set custom config directory") >+ ("chroot,r", po::value<string>(&chrootdir), "Set chroot directory") >+ ("user,u", po::value<string>(&user), "Set unprivileged user") >+ ("group,g", po::value<string>(&group), "Set unprivileged group") > ("nodaemon,n", po::bool_switch(&nodaemon), "Disable background daemon mode") > ; > po::variables_map vm; >@@ -476,6 +549,9 @@ > if (!daemon.init(confdir)) { > exit(EXIT_FAILURE); > } >+ if (!daemon.droppriv(chrootdir, user, group)) { >+ exit(EXIT_FAILURE); >+ } > if (!daemon.run(nodaemon)) { > exit(EXIT_FAILURE); > } >diff -ur bfilter-0.10.1/main/daemon/Daemon.h bfilter-0.10.1-droppriv/main/daemon/Daemon.h >--- bfilter-0.10.1/main/daemon/Daemon.h 2005-01-14 16:54:32.000000000 +0000 >+++ bfilter-0.10.1-droppriv/main/daemon/Daemon.h 2005-11-14 18:22:58.000000000 +0000 >@@ -33,7 +33,7 @@ > { > public: > bool init(std::string const& confdir); >- >+ bool droppriv(std::string const& chrootdir, std::string const& user, std::string const& group); > bool run(bool nodaemon); > private: > class ConfigErrorHandler;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=72905">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 112260
: 72905 |
72910
