Drop privileges in worker processes.

Accepting connections and handshaking in secondary is still done before dropping privileges. It should be implemented by only accepting connections in privileged main process and passing connection descriptors to the worker, but is not implemented yet. MFC after: 1 week
2011-01-28 22:35:46 +00:00 · 2011-01-28 22:35:46 +00:00 · 621f7543a9
commit 621f7543a9
parent 1d4238ea6d
2 changed files with 8 additions and 0 deletions
--- a/sbin/hastd/primary.c
+++ b/sbin/hastd/primary.c
@ -847,6 +847,11 @@ hastd_primary(struct hast_resource *res)
 	init_ggate(res);
 	init_environment(res);

+	if (drop_privs() != 0) {
+		cleanup(res);
+		exit(EX_CONFIG);
+	}
+
 	/*
 	 * Create the guard thread first, so we can handle signals from the
 	 * very begining.
--- a/sbin/hastd/secondary.c
+++ b/sbin/hastd/secondary.c
@ -413,6 +413,9 @@ hastd_secondary(struct hast_resource *res, struct nv *nvin)
 	init_local(res);
 	init_environment();

+	if (drop_privs() != 0)
+		exit(EX_CONFIG);
+
 	/*
 	 * Create the control thread before sending any event to the parent,
 	 * as we can deadlock when parent sends control request to worker,