Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Add _rtadvd user and group.
details: https://anonhg.NetBSD.org/src/rev/a78f1cb6d503
branches: trunk
changeset: 787853:a78f1cb6d503
user: roy <roy%NetBSD.org@localhost>
date: Tue Jul 09 09:34:58 2013 +0000
description:
Add _rtadvd user and group.
Add a chroot dir for the _rtadvd user.
Drop privs to the user _rtadvd after acquiring our socket.
When rc.d/rtadvd starts or reloads, the rtadvd config file is copied
into the chroot before starting or reloading rtadvd itself.
Create a symlink from /var/run/rtadvd.dump to the chroot
Inital idea from OpenBSD patch rtadvd.c r1.36
diffstat:
etc/group | 1 +
etc/master.passwd | 1 +
etc/mtree/special | 6 +++++-
etc/rc.d/rtadvd | 45 ++++++++++++++++++++++++++++++++++++++-------
usr.sbin/rtadvd/dump.c | 4 ++--
usr.sbin/rtadvd/rtadvd.c | 32 +++++++++++++++++++++++++++++++-
usr.sbin/rtadvd/rtadvd.h | 4 +++-
7 files changed, 81 insertions(+), 12 deletions(-)
diffs (213 lines):
diff -r 0cb0f38b628c -r a78f1cb6d503 etc/group
--- a/etc/group Tue Jul 09 08:57:16 2013 +0000
+++ b/etc/group Tue Jul 09 09:34:58 2013 +0000
@@ -25,6 +25,7 @@
_tcpdump:*:27:
_tss:*:28:
_gpio:*:29:
+_rtadvd:*:30:
guest:*:31:root
nobody:*:39:
utmp:*:45:
diff -r 0cb0f38b628c -r a78f1cb6d503 etc/master.passwd
--- a/etc/master.passwd Tue Jul 09 08:57:16 2013 +0000
+++ b/etc/master.passwd Tue Jul 09 09:34:58 2013 +0000
@@ -18,5 +18,6 @@
_tests:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
_tss:*:28:28::0:0:& pseudo-user:/var/tpm:/sbin/nologin
+_rtadvd:*:30:30::0:0:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
diff -r 0cb0f38b628c -r a78f1cb6d503 etc/mtree/special
--- a/etc/mtree/special Tue Jul 09 08:57:16 2013 +0000
+++ b/etc/mtree/special Tue Jul 09 09:34:58 2013 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: special,v 1.145 2013/05/16 07:37:05 yamt Exp $
+# $NetBSD: special,v 1.146 2013/07/09 09:34:58 roy Exp $
# @(#)special 8.2 (Berkeley) 1/23/94
#
# This file may be overwritten on upgrades.
@@ -395,6 +395,10 @@
./var/chroot/ntpd/var/db type=dir mode=0775 gname=ntpd
./var/chroot/ntpd/var/run type=dir mode=0775 gname=ntpd
./var/chroot/pflogd type=dir mode=0755
+./var/chroot/rtadvd type=dir mode=0755
+./var/chroot/rtadvd/etc type=dir mode=0755
+./var/chroot/rtadvd/var type=dir mode=0755
+./var/chroot/rtadvd/var/run type=dir mode=0775 gname=_rtadvd
./var/chroot/sshd type=dir mode=0755
./var/chroot/tcpdump type=dir mode=0755
./var/chroot/tftp-proxy type=dir mode=0755
diff -r 0cb0f38b628c -r a78f1cb6d503 etc/rc.d/rtadvd
--- a/etc/rc.d/rtadvd Tue Jul 09 08:57:16 2013 +0000
+++ b/etc/rc.d/rtadvd Tue Jul 09 09:34:58 2013 +0000
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $NetBSD: rtadvd,v 1.7 2012/12/13 15:51:17 roy Exp $
+# $NetBSD: rtadvd,v 1.8 2013/07/09 09:34:58 roy Exp $
#
# PROVIDE: rtadvd
@@ -9,20 +9,51 @@
$_rc_subr_loaded . /etc/rc.subr
-name="rtadvd"
+name=rtadvd
rcvar=$name
-command="/usr/sbin/${name}"
+command="/usr/sbin/$name"
pidfile="/var/run/$name.pid"
-extra_commands="reload"
-start_precmd="rtadvd_precmd"
+extra_commands=reload
+start_precmd=rtadvd_prestart
+reload_precmd=rtadvd_prereload
+
+rtadvd_prereload()
+{
+ local chdir="$(getent passwd _rtadvd | cut -d: -f6)"
+ local conf=/etc/rtadvd.conf myflags o confdir
+
+ [ -z "$chdir" -o "$chdir" = / ] && return 0
-rtadvd_precmd()
+ if [ -n "$flags" ]; then
+ myflags=$flags
+ else
+ eval myflags=\$${name}_flags
+ fi
+ set -- ${myflags}
+ while getopts c:dDfM:Rs o; do
+ case "$1" in
+ -c) conf="$OPTARG";;
+ esac
+ shift
+ done
+ confdir=$(dirname "$conf")
+
+ echo "$name: copying $conf to $chdir$conf"
+ cp "$conf" "$chdir$conf"
+
+ # Provide a link to the chrooted dump file
+ ln -snf "$chdir/var/run/$name.dump" /var/run
+}
+
+rtadvd_prestart()
{
- if [ "$ip6mode" != "router" ]; then
+ if [ "$ip6mode" != router ]; then
warn \
"${name} cannot be used on IPv6 host, only on an IPv6 router."
return 1
fi
+
+ rtadvd_prereload
}
load_rc_config $name
diff -r 0cb0f38b628c -r a78f1cb6d503 usr.sbin/rtadvd/dump.c
--- a/usr.sbin/rtadvd/dump.c Tue Jul 09 08:57:16 2013 +0000
+++ b/usr.sbin/rtadvd/dump.c Tue Jul 09 09:34:58 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: dump.c,v 1.10 2012/12/13 15:36:36 roy Exp $ */
+/* $NetBSD: dump.c,v 1.11 2013/07/09 09:34:59 roy Exp $ */
/* $KAME: dump.c,v 1.34 2004/06/14 05:35:59 itojun Exp $ */
/*
@@ -269,7 +269,7 @@
dumpfile);
if ((fp = fopen(dumpfile, "w")) == NULL) {
- syslog(LOG_WARNING, "<%s> open a dump file(%s)",
+ syslog(LOG_WARNING, "<%s> open a dump file(%s): %m",
__func__, dumpfile);
return;
}
diff -r 0cb0f38b628c -r a78f1cb6d503 usr.sbin/rtadvd/rtadvd.c
--- a/usr.sbin/rtadvd/rtadvd.c Tue Jul 09 08:57:16 2013 +0000
+++ b/usr.sbin/rtadvd/rtadvd.c Tue Jul 09 09:34:58 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rtadvd.c,v 1.43 2013/06/28 07:59:32 roy Exp $ */
+/* $NetBSD: rtadvd.c,v 1.44 2013/07/09 09:34:59 roy Exp $ */
/* $KAME: rtadvd.c,v 1.92 2005/10/17 14:40:02 suz Exp $ */
/*
@@ -58,6 +58,7 @@
#include <util.h>
#endif
#include <poll.h>
+#include <pwd.h>
#include "rtadvd.h"
#include "rrenum.h"
@@ -177,6 +178,7 @@
struct timeval *timeout;
int i, ch;
int fflag = 0, logopt;
+ struct passwd *pw;
/* get command line options and arguments */
#define OPTIONS "c:dDfM:Rs"
@@ -229,6 +231,17 @@
if (dflag == 1)
(void)setlogmask(LOG_UPTO(LOG_INFO));
+ errno = 0; /* Ensure errno is 0 so we know if getpwnam errors or not */
+ if ((pw = getpwnam(RTADVD_USER)) == NULL) {
+ if (errno == 0)
+ syslog(LOG_ERR,
+ "user %s does not exist, aborting",
+ RTADVD_USER);
+ else
+ syslog(LOG_ERR, "getpwnam: %s: %m", RTADVD_USER);
+ exit(1);
+ }
+
/* timer initialization */
rtadvd_timer_init();
@@ -260,6 +273,23 @@
} else
set[1].fd = -1;
+ syslog(LOG_INFO, "dropping privileges to %s", RTADVD_USER);
+ if (chroot(pw->pw_dir) == -1) {
+ syslog(LOG_ERR, "chroot: %s: %m", pw->pw_dir);
+ exit(1);
+ }
+ if (chdir("/") == -1) {
+ syslog(LOG_ERR, "chdir: /: %m");
+ exit(1);
+ }
+ if (setgroups(1, &pw->pw_gid) == -1 ||
+ setgid(pw->pw_gid) == -1 ||
+ setuid(pw->pw_uid) == -1)
+ {
+ syslog(LOG_ERR, "failed to drop privileges: %m");
+ exit(1);
+ }
+
signal(SIGINT, set_die);
signal(SIGTERM, set_die);
signal(SIGHUP, set_reconf);
diff -r 0cb0f38b628c -r a78f1cb6d503 usr.sbin/rtadvd/rtadvd.h
--- a/usr.sbin/rtadvd/rtadvd.h Tue Jul 09 08:57:16 2013 +0000
+++ b/usr.sbin/rtadvd/rtadvd.h Tue Jul 09 09:34:58 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rtadvd.h,v 1.12 2012/12/13 15:36:36 roy Exp $ */
+/* $NetBSD: rtadvd.h,v 1.13 2013/07/09 09:34:59 roy Exp $ */
/* $KAME: rtadvd.h,v 1.30 2005/10/17 14:40:02 suz Exp $ */
/*
@@ -30,6 +30,8 @@
* SUCH DAMAGE.
*/
+#define RTADVD_USER "_rtadvd"
+
#define ALLNODES "ff02::1"
#define ALLROUTERS_LINK "ff02::2"
#define ALLROUTERS_SITE "ff05::2"
Home |
Main Index |
Thread Index |
Old Index