diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2004-05-07 23:04:08 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2004-05-07 23:04:08 +0000 |
commit | 68bb922084e7746f03fcce9c9f213a0c2a0bcd0e (patch) | |
tree | b1d4c7d6af6baf46fed11146c6dd9e707ef54319 | |
parent | ea27d87d8ee93c3c1ff9478894f3cd73debcb1d8 (diff) |
This makes afsd drop priviledge to user _afs inside a chroot (the
cache directory). This is privledge dropping, not full privsep.
-rw-r--r-- | usr.sbin/afs/src/arlad/arla.c | 6 | ||||
-rw-r--r-- | usr.sbin/afs/src/arlad/arla_local.h | 1 | ||||
-rw-r--r-- | usr.sbin/afs/src/arlad/arlad.c | 8 |
3 files changed, 15 insertions, 0 deletions
diff --git a/usr.sbin/afs/src/arlad/arla.c b/usr.sbin/afs/src/arlad/arla.c index 6b65083e359..24886e791ec 100644 --- a/usr.sbin/afs/src/arlad/arla.c +++ b/usr.sbin/afs/src/arlad/arla.c @@ -275,6 +275,7 @@ int fake_stat = 0; int num_workers = 16; char *cache_dir; +struct passwd *pw; int fake_mp; int fork_flag = 1; @@ -382,12 +383,17 @@ arla_init (void) if (conn_rxkad_level < 0) errx (1, "bad rxkad level `%s'", rxkad_level_string); #endif + pw = getpwnam("_afs"); + if (pw == NULL) + errx (1, "Unable to find user '_afs'"); if (cache_dir == NULL) cache_dir = get_default_cache_dir(); if (mkdir (cache_dir, 0777) < 0 && errno != EEXIST) arla_err (1, ADEBERROR, errno, "mkdir %s", cache_dir); + if (pw && chown(cache_dir, pw->pw_uid, pw->pw_gid) == -1) + arla_err (1, ADEBERROR, errno, "chown %s", cache_dir); if (chdir (cache_dir) < 0) arla_err (1, ADEBERROR, errno, "chdir %s", cache_dir); diff --git a/usr.sbin/afs/src/arlad/arla_local.h b/usr.sbin/afs/src/arlad/arla_local.h index 96e82c52d68..65db9315022 100644 --- a/usr.sbin/afs/src/arlad/arla_local.h +++ b/usr.sbin/afs/src/arlad/arla_local.h @@ -224,3 +224,4 @@ extern int fake_stat; extern int fetch_block_size; extern char *cache_dir; +extern struct passwd *pw; diff --git a/usr.sbin/afs/src/arlad/arlad.c b/usr.sbin/afs/src/arlad/arlad.c index 7ec1fe2b516..d017059f62f 100644 --- a/usr.sbin/afs/src/arlad/arlad.c +++ b/usr.sbin/afs/src/arlad/arlad.c @@ -174,6 +174,14 @@ arla_start (char *device_file, const char *cache_dir) if (fork_flag) kill(getppid(), SIGUSR1); + if (pw) { + setgroups(1, &pw->pw_gid); + setegid(pw->pw_gid); + setgid(pw->pw_gid); + seteuid(pw->pw_uid); + setuid(pw->pw_uid); + } + LWP_WaitProcess ((char *)arla_start); abort (); } |