bin/108523: [patch] daemon(8): support for dropping privileges
Mike Pritchard
mpp at mppsystems.com
Mon Jan 29 21:30:22 UTC 2007
The following reply was made to PR bin/108523; it has been noted by GNATS.
From: Mike Pritchard <mpp at mail.mppsystems.com>
To: Dmitri Alenitchev <dmitri at dworlds.ru>
Cc: FreeBSD-gnats-submit at FreeBSD.org
Subject: Re: bin/108523: [patch] daemon(8): support for dropping privileges
Date: Mon, 29 Jan 2007 14:59:21 -0600
On Mon, Jan 29, 2007 at 09:13:23PM +0300, Dmitri Alenitchev wrote:
>
> >Number: 108523
> >Category: bin
> >Synopsis: [patch] daemon(8): support for dropping privileges
> >Description:
> support for dropping privileges to specified user and/or group
> >How-To-Repeat:
>
> >Fix:
> @@ -109,9 +126,32 @@
> }
>
> static void
> +restrict_process(const char *user, const char *group)
> +{
> + struct group *gr = NULL;
> + struct passwd *pw = NULL;
> + errno = 0;
> +
> + if (group != NULL) {
> + if ((gr = getgrnam(group)) == NULL)
> + errx(1, "Group %s does not exist", group);
> + if (setregid(gr->gr_gid, gr->gr_gid) == -1)
> + err(1, "%s", group);
> + }
> +
> + if (user != NULL) {
> + if ((pw = getpwnam(user)) == NULL)
> + errx(1, "User %s does not exist", user);
> + if (setreuid(pw->pw_uid, pw->pw_uid) == -1)
> + err(1, "%s", user);
> + }
> +}
The group list should also be set with initgroups(). And I
think setgid() and setuid() are the preferred methods of changing
the gid/uid, not setre*id().
--
Mike Pritchard
mpp @ mppsystems.com or mpp @ FreeBSD.org
"If tyranny and oppression come to this land, it will be in the guise
of fighting a foreign enemy." - James Madison (1787)
More information about the freebsd-bugs
mailing list