diff options
| author | Rainer Giedat <rainer@cvs.openbsd.org> | 2008-06-09 22:53:25 +0000 |
|---|---|---|
| committer | Rainer Giedat <rainer@cvs.openbsd.org> | 2008-06-09 22:53:25 +0000 |
| commit | 78fc5032107923a7eba3087758a6098489e6a5fb (patch) | |
| tree | c0446d7517bd7d7ed5764ed20461d45ce0669eba | |
| parent | 93c232b37d7879e6b0e58fa730b7d3e59fd064d7 (diff) | |
drop root privileges in rtadvd to _rtadvd
ok deraadt@, reyk@, pyr@
| -rw-r--r-- | etc/group | 1 | ||||
| -rw-r--r-- | etc/master.passwd | 1 | ||||
| -rw-r--r-- | usr.sbin/rtadvd/rtadvd.c | 15 | ||||
| -rw-r--r-- | usr.sbin/rtadvd/rtadvd.h | 4 |
4 files changed, 19 insertions, 2 deletions
diff --git a/etc/group b/etc/group index c00236e3b40..2f07d28b545 100644 --- a/etc/group +++ b/etc/group @@ -56,6 +56,7 @@ _ripd:*:88: _relayd:*:89: _ospf6d:*:90: _snmpd:*:91: +_rtadvd:*:92: dialer:*:117: nogroup:*:32766: nobody:*:32767: diff --git a/etc/master.passwd b/etc/master.passwd index ae3cb27d65d..e07b6a6548e 100644 --- a/etc/master.passwd +++ b/etc/master.passwd @@ -38,4 +38,5 @@ _ripd:*:88:88::0:0:RIP Daemon:/var/empty:/sbin/nologin _relayd:*:89:89::0:0:Relay Daemon:/var/empty:/sbin/nologin _ospf6d:*:90:90::0:0:OSPF6 Daemon:/var/empty:/sbin/nologin _snmpd:*:91:91::0:0:SNMP Daemon:/var/empty:/sbin/nologin +_rtadvd:*:92:92::0:0:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin nobody:*:32767:32767::0:0:Unprivileged user:/nonexistent:/sbin/nologin diff --git a/usr.sbin/rtadvd/rtadvd.c b/usr.sbin/rtadvd/rtadvd.c index 1e1f4829438..c2b67d3f473 100644 --- a/usr.sbin/rtadvd/rtadvd.c +++ b/usr.sbin/rtadvd/rtadvd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtadvd.c,v 1.35 2008/06/08 21:08:57 rainer Exp $ */ +/* $OpenBSD: rtadvd.c,v 1.36 2008/06/09 22:53:24 rainer Exp $ */ /* $KAME: rtadvd.c,v 1.66 2002/05/29 14:18:36 itojun Exp $ */ /* @@ -55,6 +55,7 @@ #include <string.h> #include <stdlib.h> #include <util.h> +#include <pwd.h> #include "rtadvd.h" #include "rrenum.h" @@ -153,6 +154,7 @@ main(argc, argv) int maxfd = 0; struct timeval *timeout; int i, ch; + struct passwd *pw; log_init(1); /* log to stderr until daemonized */ @@ -227,6 +229,17 @@ main(argc, argv) } else rtsock = -1; + if ((pw = getpwnam(RTADVD_USER)) == NULL) + fatal("getpwnam"); + if (chroot(pw->pw_dir) == -1) + fatal("chroot"); + if (chdir("/") == -1) + fatal("chdir(\"/\")"); + if (setgroups(1, &pw->pw_gid) == -1 || + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) + fatal("cannot drop privileges"); + fdmasks = howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask); if ((fdsetp = malloc(fdmasks)) == NULL) { err(1, "malloc"); diff --git a/usr.sbin/rtadvd/rtadvd.h b/usr.sbin/rtadvd/rtadvd.h index 6d4b941a5c5..50ce76d9346 100644 --- a/usr.sbin/rtadvd/rtadvd.h +++ b/usr.sbin/rtadvd/rtadvd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rtadvd.h,v 1.10 2008/04/23 10:17:50 pyr Exp $ */ +/* $OpenBSD: rtadvd.h,v 1.11 2008/06/09 22:53:24 rainer Exp $ */ /* $KAME: rtadvd.h,v 1.20 2002/05/29 10:13:10 itojun Exp $ */ /* @@ -30,6 +30,8 @@ * SUCH DAMAGE. */ +#define RTADVD_USER "_rtadvd" + #define ALLNODES "ff02::1" #define ALLROUTERS_LINK "ff02::2" #define ALLROUTERS_SITE "ff05::2" |