When dropping privileges prefer capsicum over chroot+setgid+setuid.
We can use capsicum for secondary worker processes and hastctl. When working as primary we drop privileges using chroot+setgid+setuid still as we need to send ioctl(2)s to ggate device, for which capsicum doesn't allow (yet). X-MFC after: capsicum is merged to stable/8
This commit is contained in:
parent
f394ce6e5b
commit
4d8dc3b838
@ -480,9 +480,8 @@ main(int argc, char *argv[])
|
||||
cfg->hc_controladdr);
|
||||
}
|
||||
|
||||
if (drop_privs() != 0)
|
||||
if (drop_privs(true) != 0)
|
||||
exit(EX_CONFIG);
|
||||
pjdlog_debug(1, "Privileges successfully dropped.");
|
||||
|
||||
/* Send the command to the server... */
|
||||
if (hast_proto_send(NULL, controlconn, nv, NULL, 0) < 0) {
|
||||
|
@ -874,7 +874,7 @@ hastd_primary(struct hast_resource *res)
|
||||
init_ggate(res);
|
||||
init_environment(res);
|
||||
|
||||
if (drop_privs() != 0) {
|
||||
if (drop_privs(true) != 0) {
|
||||
cleanup(res);
|
||||
exit(EX_CONFIG);
|
||||
}
|
||||
|
@ -440,7 +440,7 @@ hastd_secondary(struct hast_resource *res, struct nv *nvin)
|
||||
init_local(res);
|
||||
init_environment();
|
||||
|
||||
if (drop_privs() != 0)
|
||||
if (drop_privs(true) != 0)
|
||||
exit(EX_CONFIG);
|
||||
pjdlog_info("Privileges successfully dropped.");
|
||||
|
||||
|
@ -30,6 +30,7 @@
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include <sys/capability.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/disk.h>
|
||||
#include <sys/ioctl.h>
|
||||
@ -39,6 +40,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <fcntl.h>
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
@ -144,13 +146,22 @@ role2str(int role)
|
||||
}
|
||||
|
||||
int
|
||||
drop_privs(void)
|
||||
drop_privs(bool usecapsicum)
|
||||
{
|
||||
struct passwd *pw;
|
||||
uid_t ruid, euid, suid;
|
||||
gid_t rgid, egid, sgid;
|
||||
gid_t gidset[1];
|
||||
|
||||
if (usecapsicum) {
|
||||
if (cap_enter() == 0) {
|
||||
pjdlog_debug(1,
|
||||
"Privileges successfully dropped using capsicum.");
|
||||
return (0);
|
||||
}
|
||||
pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum");
|
||||
}
|
||||
|
||||
/*
|
||||
* According to getpwnam(3) we have to clear errno before calling the
|
||||
* function to be able to distinguish between an error and missing
|
||||
@ -208,5 +219,8 @@ drop_privs(void)
|
||||
PJDLOG_VERIFY(getgroups(1, gidset) == 1);
|
||||
PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
|
||||
|
||||
pjdlog_debug(1,
|
||||
"Privileges successfully dropped using chroot+setgid+setuid.");
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
@ -50,6 +50,6 @@ int snprlcat(char *str, size_t size, const char *fmt, ...);
|
||||
|
||||
int provinfo(struct hast_resource *res, bool dowrite);
|
||||
const char *role2str(int role);
|
||||
int drop_privs(void);
|
||||
int drop_privs(bool usecapsicum);
|
||||
|
||||
#endif /* !_SUBR_H_ */
|
||||
|
Loading…
Reference in New Issue
Block a user