From 78fc5032107923a7eba3087758a6098489e6a5fb Mon Sep 17 00:00:00 2001
From: Rainer Giedat <rainer@cvs.openbsd.org>
Date: Mon, 9 Jun 2008 22:53:25 +0000
Subject: drop root privileges in rtadvd to _rtadvd

ok deraadt@, reyk@, pyr@
---
 usr.sbin/rtadvd/rtadvd.c | 15 ++++++++++++++-
 usr.sbin/rtadvd/rtadvd.h |  4 +++-
 2 files changed, 17 insertions(+), 2 deletions(-)

(limited to 'usr.sbin/rtadvd')

diff --git a/usr.sbin/rtadvd/rtadvd.c b/usr.sbin/rtadvd/rtadvd.c
index 1e1f4829438..c2b67d3f473 100644
--- a/usr.sbin/rtadvd/rtadvd.c
+++ b/usr.sbin/rtadvd/rtadvd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtadvd.c,v 1.35 2008/06/08 21:08:57 rainer Exp $	*/
+/*	$OpenBSD: rtadvd.c,v 1.36 2008/06/09 22:53:24 rainer Exp $	*/
 /*	$KAME: rtadvd.c,v 1.66 2002/05/29 14:18:36 itojun Exp $	*/
 
 /*
@@ -55,6 +55,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <util.h>
+#include <pwd.h>
 
 #include "rtadvd.h"
 #include "rrenum.h"
@@ -153,6 +154,7 @@ main(argc, argv)
 	int maxfd = 0;
 	struct timeval *timeout;
 	int i, ch;
+	struct passwd *pw;
 
 	log_init(1);		/* log to stderr until daemonized */
 
@@ -227,6 +229,17 @@ main(argc, argv)
 	} else
 		rtsock = -1;
 
+	if ((pw = getpwnam(RTADVD_USER)) == NULL)
+		fatal("getpwnam");
+	if (chroot(pw->pw_dir) == -1)
+		fatal("chroot");
+	if (chdir("/") == -1)
+		fatal("chdir(\"/\")");
+	if (setgroups(1, &pw->pw_gid) == -1 ||
+	    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+	    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+		fatal("cannot drop privileges");
+
 	fdmasks = howmany(maxfd + 1, NFDBITS) * sizeof(fd_mask);
 	if ((fdsetp = malloc(fdmasks)) == NULL) {
 		err(1, "malloc");
diff --git a/usr.sbin/rtadvd/rtadvd.h b/usr.sbin/rtadvd/rtadvd.h
index 6d4b941a5c5..50ce76d9346 100644
--- a/usr.sbin/rtadvd/rtadvd.h
+++ b/usr.sbin/rtadvd/rtadvd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtadvd.h,v 1.10 2008/04/23 10:17:50 pyr Exp $	*/
+/*	$OpenBSD: rtadvd.h,v 1.11 2008/06/09 22:53:24 rainer Exp $	*/
 /*	$KAME: rtadvd.h,v 1.20 2002/05/29 10:13:10 itojun Exp $	*/
 
 /*
@@ -30,6 +30,8 @@
  * SUCH DAMAGE.
  */
 
+#define RTADVD_USER     "_rtadvd"
+
 #define ALLNODES "ff02::1"
 #define ALLROUTERS_LINK "ff02::2"
 #define ALLROUTERS_SITE "ff05::2"
-- 
cgit v1.2.3