Added -U and -G keys to make setuid and setgid at start if started as root
This commit is contained in:
parent
95e9c69b9c
commit
e23f4e3333
56
main.c
56
main.c
@ -47,6 +47,8 @@
|
|||||||
#include <libconfig.h>
|
#include <libconfig.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include <grp.h>
|
||||||
|
|
||||||
#include "telegram.h"
|
#include "telegram.h"
|
||||||
#include "loop.h"
|
#include "loop.h"
|
||||||
#include "interface.h"
|
#include "interface.h"
|
||||||
@ -405,6 +407,8 @@ void usage (void) {
|
|||||||
printf (" -R disable readline\n");
|
printf (" -R disable readline\n");
|
||||||
printf (" -d daemon mode\n");
|
printf (" -d daemon mode\n");
|
||||||
printf (" -L <log-name> log file name\n");
|
printf (" -L <log-name> log file name\n");
|
||||||
|
printf (" -U <user-name> change uid after start\n");
|
||||||
|
printf (" -G <group-name> change gid after start\n");
|
||||||
|
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
@ -459,10 +463,53 @@ static void sighup_handler (const int sig) {
|
|||||||
signal (SIGHUP, sighup_handler);
|
signal (SIGHUP, sighup_handler);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
char *set_user_name;
|
||||||
|
char *set_group_name;
|
||||||
|
|
||||||
|
int change_user_group () {
|
||||||
|
char *username = set_user_name;
|
||||||
|
char *groupname = set_group_name;
|
||||||
|
struct passwd *pw;
|
||||||
|
/* lose root privileges if we have them */
|
||||||
|
if (getuid() == 0 || geteuid() == 0) {
|
||||||
|
if (username == 0 || *username == '\0') {
|
||||||
|
username = "telegramd";
|
||||||
|
}
|
||||||
|
if ((pw = getpwnam (username)) == 0) {
|
||||||
|
fprintf (stderr, "change_user_group: can't find the user %s to switch to\n", username);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
gid_t gid = pw->pw_gid;
|
||||||
|
if (setgroups (1, &gid) < 0) {
|
||||||
|
fprintf (stderr, "change_user_group: failed to clear supplementary groups list: %m\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (groupname) {
|
||||||
|
struct group *g = getgrnam (groupname);
|
||||||
|
if (g == NULL) {
|
||||||
|
fprintf (stderr, "change_user_group: can't find the group %s to switch to\n", groupname);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
gid = g->gr_gid;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (setgid (gid) < 0) {
|
||||||
|
fprintf (stderr, "change_user_group: setgid (%d) failed. %m\n", (int) gid);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (setuid (pw->pw_uid) < 0) {
|
||||||
|
fprintf (stderr, "change_user_group: failed to assume identity of user %s\n", username);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
void args_parse (int argc, char **argv) {
|
void args_parse (int argc, char **argv) {
|
||||||
int opt = 0;
|
int opt = 0;
|
||||||
while ((opt = getopt (argc, argv, "u:hk:vNl:fEwWCRdL:"
|
while ((opt = getopt (argc, argv, "u:hk:vNl:fEwWCRdL:U:G:"
|
||||||
#ifdef HAVE_LIBCONFIG
|
#ifdef HAVE_LIBCONFIG
|
||||||
"c:p:"
|
"c:p:"
|
||||||
#else
|
#else
|
||||||
@ -533,6 +580,12 @@ void args_parse (int argc, char **argv) {
|
|||||||
case 'L':
|
case 'L':
|
||||||
logname = optarg;
|
logname = optarg;
|
||||||
break;
|
break;
|
||||||
|
case 'U':
|
||||||
|
set_user_name = optarg;
|
||||||
|
break;
|
||||||
|
case 'G':
|
||||||
|
set_group_name = optarg;
|
||||||
|
break;
|
||||||
case 'h':
|
case 'h':
|
||||||
default:
|
default:
|
||||||
usage ();
|
usage ();
|
||||||
@ -574,6 +627,7 @@ void sig_abrt_handler (int signum __attribute__ ((unused))) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int main (int argc, char **argv) {
|
int main (int argc, char **argv) {
|
||||||
|
change_user_group ();
|
||||||
signal (SIGSEGV, sig_segv_handler);
|
signal (SIGSEGV, sig_segv_handler);
|
||||||
signal (SIGABRT, sig_abrt_handler);
|
signal (SIGABRT, sig_abrt_handler);
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user