Improve previous commit by using setusercontext(3) and removing the group
option. Bump doc date for manual page changes. Reviewed by: rwatson, ru, will (older version)
This commit is contained in:
parent
1d8e1b8a5d
commit
e6d4b388b9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=167700
@ -26,7 +26,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd March 9, 2007
|
.Dd March 19, 2007
|
||||||
.Dt DAEMON 8
|
.Dt DAEMON 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -35,16 +35,15 @@
|
|||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl cf
|
.Op Fl cf
|
||||||
.Op Fl u Ar user
|
|
||||||
.Op Fl g Ar group
|
|
||||||
.Op Fl p Ar pidfile
|
.Op Fl p Ar pidfile
|
||||||
|
.Op Fl u Ar user
|
||||||
.Ar command arguments ...
|
.Ar command arguments ...
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
utility detaches itself from the controlling terminal and
|
utility detaches itself from the controlling terminal and
|
||||||
executes the program specified by its arguments.
|
executes the program specified by its arguments.
|
||||||
Privileges may be lowered to specified user and/or group.
|
Privileges may be lowered to the specified user.
|
||||||
.Pp
|
.Pp
|
||||||
The options are as follows:
|
The options are as follows:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
@ -54,19 +53,17 @@ Change the current working directory to the root
|
|||||||
.It Fl f
|
.It Fl f
|
||||||
Redirect standard input, standard output and standard error to
|
Redirect standard input, standard output and standard error to
|
||||||
.Pa /dev/null .
|
.Pa /dev/null .
|
||||||
.It Fl g Ar group
|
|
||||||
Drop privileges to specified group.
|
|
||||||
.It Fl p Ar file
|
.It Fl p Ar file
|
||||||
Write the ID of the created process into the
|
Write the ID of the created process into the
|
||||||
.Ar file
|
.Ar file
|
||||||
using
|
using the
|
||||||
.It Fl u Ar user
|
|
||||||
Drop privileges to specified user.
|
|
||||||
.Xr pidfile 3
|
.Xr pidfile 3
|
||||||
functionality.
|
functionality.
|
||||||
Note, that the file will be created shortly before the process is
|
Note, that the file will be created shortly before the process is
|
||||||
actually executed, and will remain after the process exits (although
|
actually executed, and will remain after the process exits (although
|
||||||
it will be removed if the execution fails).
|
it will be removed if the execution fails).
|
||||||
|
.It Fl u Ar user
|
||||||
|
Run the program with the rights of user specified, requires privilege.
|
||||||
.El
|
.El
|
||||||
.Sh EXIT STATUS
|
.Sh EXIT STATUS
|
||||||
The
|
The
|
||||||
|
@ -36,13 +36,13 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <err.h>
|
#include <err.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <grp.h>
|
|
||||||
#include <libutil.h>
|
#include <libutil.h>
|
||||||
|
#include <login_cap.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
static void restrict_process(const char *, const char *);
|
static void restrict_process(const char *);
|
||||||
static void usage(void);
|
static void usage(void);
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -50,12 +50,12 @@ main(int argc, char *argv[])
|
|||||||
{
|
{
|
||||||
struct pidfh *pfh = NULL;
|
struct pidfh *pfh = NULL;
|
||||||
int ch, nochdir, noclose, errcode;
|
int ch, nochdir, noclose, errcode;
|
||||||
const char *pidfile, *user, *group;
|
const char *pidfile, *user;
|
||||||
pid_t otherpid;
|
pid_t otherpid;
|
||||||
|
|
||||||
nochdir = noclose = 1;
|
nochdir = noclose = 1;
|
||||||
pidfile = user = group = NULL;
|
pidfile = user = NULL;
|
||||||
while ((ch = getopt(argc, argv, "-cfg:p:u:")) != -1) {
|
while ((ch = getopt(argc, argv, "-cf:p:u:")) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case 'c':
|
case 'c':
|
||||||
nochdir = 0;
|
nochdir = 0;
|
||||||
@ -63,15 +63,12 @@ main(int argc, char *argv[])
|
|||||||
case 'f':
|
case 'f':
|
||||||
noclose = 0;
|
noclose = 0;
|
||||||
break;
|
break;
|
||||||
case 'u':
|
|
||||||
user = optarg;
|
|
||||||
break;
|
|
||||||
case 'g':
|
|
||||||
group = optarg;
|
|
||||||
break;
|
|
||||||
case 'p':
|
case 'p':
|
||||||
pidfile = optarg;
|
pidfile = optarg;
|
||||||
break;
|
break;
|
||||||
|
case 'u':
|
||||||
|
user = optarg;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
usage();
|
usage();
|
||||||
}
|
}
|
||||||
@ -82,12 +79,8 @@ main(int argc, char *argv[])
|
|||||||
if (argc == 0)
|
if (argc == 0)
|
||||||
usage();
|
usage();
|
||||||
|
|
||||||
if (user || group) {
|
if (user != NULL)
|
||||||
if (getuid() != 0)
|
restrict_process(user);
|
||||||
errx(1, "only root user is allowed to chroot "
|
|
||||||
"and change UID/GID");
|
|
||||||
restrict_process(user, group);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Try to open the pidfile before calling daemon(3),
|
* Try to open the pidfile before calling daemon(3),
|
||||||
@ -126,34 +119,23 @@ main(int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
restrict_process(const char *user, const char *group)
|
restrict_process(const char *user)
|
||||||
{
|
{
|
||||||
struct group *gr = NULL;
|
|
||||||
struct passwd *pw = NULL;
|
struct passwd *pw = NULL;
|
||||||
errno = 0;
|
|
||||||
|
|
||||||
if (group != NULL) {
|
pw = getpwnam(user);
|
||||||
if (initgroups(user, gr->gr_gid) == -1)
|
if (pw == NULL)
|
||||||
errx(1, "User not in group list");
|
errx(1, "unknown user: %s", user);
|
||||||
if ((gr = getgrnam(group)) == NULL)
|
|
||||||
errx(1, "Group %s does not exist", group);
|
|
||||||
if (setgid(gr->gr_gid) == -1)
|
|
||||||
err(1, "%s", group);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (user != NULL) {
|
if (setusercontext(NULL, pw, pw->pw_uid, LOGIN_SETALL) != 0)
|
||||||
if ((pw = getpwnam(user)) == NULL)
|
errx(1, "failed to set user environment");
|
||||||
errx(1, "User %s does not exist", user);
|
|
||||||
if (setuid(pw->pw_uid) == -1)
|
|
||||||
err(1, "%s", user);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
(void)fprintf(stderr,
|
(void)fprintf(stderr,
|
||||||
"usage: daemon [-cf] [-g group] [-p pidfile] [-u user] command "
|
"usage: daemon [-cf] [-p pidfile] [-u user] command "
|
||||||
"arguments ...\n");
|
"arguments ...\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user