Report -u and -g support; running as another privdrop user or group is stupid.

ok millert  guenther

2 files changed, 8 insertions, 60 deletions

diff --git a/libexec/identd/identd.8 b/libexec/identd/identd.8
index 7aeb9fc9131..cf95af19851 100644
--- a/libexec/identd/identd.8
+++ b/libexec/identd/identd.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: identd.8,v 1.29 2013/03/09 17:40:57 deraadt Exp $
+.\"	$OpenBSD: identd.8,v 1.30 2013/03/11 21:24:24 deraadt Exp $
 .\"
 .\" Copyright (c) 1997, Jason Downs.  All rights reserved.
 .\"
@@ -27,7 +27,7 @@
 .\" Copyright (c) 1992 Peter Eriksson, Lysator, Linkoping University.
 .\" This software has been released into the public domain.
 .\"
-.Dd $Mdocdate: March 9 2013 $
+.Dd $Mdocdate: March 11 2013 $
 .Dt IDENTD 8
 .Os
 .Sh NAME
@@ -40,10 +40,8 @@
 .Op Fl b | i | w
 .Op Fl a Ar address
 .Op Fl c Ar charset
-.Op Fl g Ar gid
 .Op Fl p Ar port
 .Op Fl t Ar seconds
-.Op Fl u Ar uid
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -93,12 +91,6 @@ instead of the
 or
 .Dq INVALID-PORT
 errors.
-.It Fl g Ar gid
-Specify a group ID number or group name which the
-.Nm
-server should
-switch to after binding itself to the
-TCP/IP port if running as a stand-alone daemon.
 .It Fl H
 Hide information about non existing users (e.g., connections through NAT) as
 well as existing users.
@@ -166,14 +158,6 @@ in the user's home directory.
 If this file is accessible, return
 at most 20 characters of the first line of the file
 instead of the normal USERID response.
-.It Fl u Ar uid
-Specify a user ID number or user name which the
-.Nm identd
-server should
-switch to after binding itself to the
-TCP/IP port if running as a stand-alone daemon.
-.Nm
-runs as user
 .Qq _identd .
 .It Fl v
 Log every request to syslog if
diff --git a/libexec/identd/identd.c b/libexec/identd/identd.c
index fda10cdf870..92a6ad14b72 100644
--- a/libexec/identd/identd.c
+++ b/libexec/identd/identd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: identd.c,v 1.52 2013/03/11 17:40:10 deraadt Exp $	*/
+/*	$OpenBSD: identd.c,v 1.53 2013/03/11 21:24:24 deraadt Exp $	*/
 
 /*
  * This program is in the public domain and may be used freely by anyone
@@ -67,7 +67,7 @@ usage(void)
 {
 	syslog(LOG_ERR,
 	    "usage: %s [-46deHhlmNnoUv] [-b | -i | -w] [-a address] [-c charset] "
-	    "[-g gid] [-p port] [-t seconds] [-u uid]", __progname);
+	    "[-p port] [-t seconds]", __progname);
 	exit(2);
 }
 
@@ -149,7 +149,6 @@ main(int argc, char *argv[])
 	struct in_addr laddr, faddr;
 	struct in6_addr laddr6, faddr6;
 	struct passwd *pwd;
-	struct group *grp;
 	struct pollfd *pfds = NULL;
 	int	i, n = 0, background_flag = 0, timeout = 0, ch;
 	char   *portno = "auth";
@@ -207,34 +206,6 @@ main(int argc, char *argv[])
 		case 'a':
 			bind_address = optarg;
 			break;
-		case 'u':
-			pwd = getpwnam(optarg);
-			if (pwd == NULL && isdigit(optarg[0])) {
-				set_uid = atoi(optarg);
-				if ((pwd = getpwuid(set_uid)) == NULL)
-					break;
-			}
-			if (pwd == NULL)
-				error("no such user (%s) for -u option",
-				    optarg);
-			else {
-				set_uid = pwd->pw_uid;
-				if (set_gid == 0)
-					set_gid = pwd->pw_gid;
-			}
-			break;
-		case 'g':
-			grp = getgrnam(optarg);
-			if (grp == NULL && isdigit(optarg[0])) {
-				set_gid = atoi(optarg);
-				break;
-			}
-			grp = getgrnam(optarg);
-			if (!grp)
-				error("no such group (%s) for -g option", optarg);
-			else
-				set_gid = grp->gr_gid;
-			break;
 		case 'c':
 			charset_name = optarg;
 			charset_sep = " , ";
@@ -350,19 +321,12 @@ main(int argc, char *argv[])
 		n = 1;
 	}
 
-	if (set_gid) {
-		if (setegid(set_gid) == -1)
+	if (set_gid)
+		if (setresgid(set_gid, set_gid, set_gid) == -1)
 			error("main: setegid");
-		if (setgid(set_gid) == -1)
-			error("main: setgid");
-	}
-	if (set_uid) {
-		if (seteuid(set_uid) == -1)
+	if (set_uid)
+		if (setresuid(set_uid, set_uid, set_uid) == -1)
 			error("main: seteuid");
-		if (setuid(set_uid) == -1)
-			error("main: setuid");
-	}
-
 	/*
 	 * Do some special handling if the "-b" or "-w" flags are used
 	 */