diff options
Diffstat (limited to 'src/charon')
| -rw-r--r-- | src/charon/daemon.c | 63 | ||||
| -rw-r--r-- | src/charon/daemon.h | 10 | ||||
| -rw-r--r-- | src/charon/plugins/smp/smp.c | 2 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_socket.c | 2 |
4 files changed, 64 insertions, 13 deletions
diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 0400a991d..ce12917aa 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -28,6 +28,8 @@ #include <string.h> #include <getopt.h> #include <errno.h> +#include <pwd.h> +#include <grp.h> #ifdef HAVE_BACKTRACE # include <execinfo.h> #endif /* HAVE_BACKTRACE */ @@ -207,11 +209,17 @@ static void destroy(private_daemon_t *this) static void kill_daemon(private_daemon_t *this, char *reason) { /* we send SIGTERM, so the daemon can cleanly shut down */ - DBG1(DBG_DMN, "killing daemon: %s", reason); + if (this->public.bus) + { + DBG1(DBG_DMN, "killing daemon: %s", reason); + } + else + { + fprintf(stderr, "killing daemon: %s\n", reason); + } if (this->main_thread_id == pthread_self()) { /* initialization failed, terminate daemon */ - destroy(this); unlink(PID_FILE); exit(-1); } @@ -237,18 +245,14 @@ static void drop_capabilities(private_daemon_t *this, bool full) if (full) { -# if IPSEC_GID - if (setgid(IPSEC_GID) != 0) + if (setgid(charon->gid) != 0) { - kill_daemon(this, "changing GID to unprivileged group failed"); + kill_daemon(this, "change to unprivileged group failed"); } -# endif -# if IPSEC_UID - if (setuid(IPSEC_UID) != 0) + if (setuid(charon->uid) != 0) { - kill_daemon(this, "changing UID to unprivileged user failed"); + kill_daemon(this, "change to unprivileged user failed"); } -# endif } else { @@ -283,6 +287,39 @@ static void drop_capabilities(private_daemon_t *this, bool full) } /** + * lookup UID and GID + */ +static void lookup_uid_gid(private_daemon_t *this) +{ +#ifdef IPSEC_USER + { + char buf[1024]; + struct passwd passwd, *pwp; + + if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 || + pwp == NULL) + { + kill_daemon(this, "resolving user '"IPSEC_USER"' failed"); + } + charon->uid = pwp->pw_uid; + } +#endif +#ifdef IPSEC_GROUP + { + char buf[1024]; + struct group group, *grp; + + if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 || + grp == NULL) + { + kill_daemon(this, "reslvoing group '"IPSEC_GROUP"' failed"); + } + charon->gid = grp->gr_gid; + } +#endif +} + +/** * Initialize the daemon */ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) @@ -428,6 +465,8 @@ private_daemon_t *daemon_create(void) this->public.outlog = NULL; this->public.syslog = NULL; this->public.authlog = NULL; + this->public.uid = 0; + this->public.gid = 0; this->main_thread_id = pthread_self(); @@ -496,6 +535,8 @@ int main(int argc, char *argv[]) private_charon = daemon_create(); charon = (daemon_t*)private_charon; + lookup_uid_gid(private_charon); + /* drop the capabilities we won't need for initialization */ prctl(PR_SET_KEEPCAPS, 1); drop_capabilities(private_charon, FALSE); @@ -571,7 +612,7 @@ int main(int argc, char *argv[]) if (pid_file) { fprintf(pid_file, "%d\n", getpid()); - fchown(fileno(pid_file), IPSEC_UID, IPSEC_GID); + fchown(fileno(pid_file), charon->uid, charon->gid); fclose(pid_file); } diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 5d590754b..8399523ec 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -299,6 +299,16 @@ struct daemon_t { #endif /* ME */ /** + * User ID the daemon will user after initialization + */ + uid_t uid; + + /** + * Group ID the daemon will use after initialization + */ + gid_t gid; + + /** * Shut down the daemon. * * @param reason describtion why it will be killed diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c index 93824518e..6380714e9 100644 --- a/src/charon/plugins/smp/smp.c +++ b/src/charon/plugins/smp/smp.c @@ -728,7 +728,7 @@ plugin_t *plugin_create() return NULL; } umask(old); - if (chown(unix_addr.sun_path, IPSEC_UID, IPSEC_GID) != 0) + if (chown(unix_addr.sun_path, charon->uid, charon->gid) != 0) { DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno)); } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index 2ae22e447..abc14794a 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -537,7 +537,7 @@ static bool open_socket(private_stroke_socket_t *this) return FALSE; } umask(old); - if (chown(socket_addr.sun_path, IPSEC_UID, IPSEC_GID) != 0) + if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0) { DBG1(DBG_CFG, "changing stroke socket permissions failed: %s", strerror(errno)); |