--- ./servers/slurpd/Makefile.in.	2004-04-19 00:44:58 +0400
+++ ./servers/slurpd/Makefile.in	2004-04-19 00:46:34 +0400
@@ -21,11 +21,11 @@
 NT_SRCS	= nt_svc.c
 NT_OBJS = nt_svc.o ../../libraries/liblutil/slapdmsg.res
 
-SRCS	=	admin.c args.c ch_malloc.c config.c \
+SRCS	=	admin.c args.c ch_malloc.c config.c user.c \
 		fm.c globals.c ldap_op.c lock.c main.c re.c \
 		reject.c replica.c replog.c ri.c rq.c sanity.c st.c \
 		$(@PLAT@_SRCS)
-OBJS	=	admin.o args.o ch_malloc.o config.o \
+OBJS	=	admin.o args.o ch_malloc.o config.o user.o \
 		fm.o globals.o ldap_op.o lock.o main.o re.o \
 		reject.o replica.o replog.o ri.o rq.o sanity.o st.o \
 		$(@PLAT@_OBJS)
--- ./servers/slurpd/args.c.	2004-04-19 00:45:07 +0400
+++ ./servers/slurpd/args.c	2004-04-19 00:46:32 +0400
@@ -56,7 +56,8 @@
 #else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
     fprintf( stderr, "\t\t[-t tmp-dir] [-o]\n" );
 #endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
-    fprintf( stderr, "\t\t[-n service-name]\n" );
+    fprintf( stderr, "\t\t[-n service-name] [-c chroot-dir]\n" );
+    fprintf( stderr, "\t\t[-u user] [-g group]\n" );
 }
 
 
@@ -80,7 +81,7 @@
 	g->myname = strdup( g->myname + 1 );
     }
 
-    while ( (i = getopt( argc, argv, "d:f:n:or:t:V" )) != EOF ) {
+    while ( (i = getopt( argc, argv, "d:f:n:or:t:c:u:g:V" )) != EOF ) {
 	switch ( i ) {
 	case 'd':	/* set debug level and 'do not detach' flag */
 	    g->no_detach = 1;
@@ -140,6 +141,18 @@
 	    snprintf(g->slurpd_rdir, sz,
 			"%s" LDAP_DIRSEP "replica", optarg);
 	    } break;
+	case 'c':
+	    if ( g->sandbox ) free( g->sandbox );
+	    g->sandbox = ch_strdup( optarg );
+	    break;
+	case 'u':
+	    if ( g->username ) free( g->username );
+	    g->username = ch_strdup( optarg );
+	    break;
+	case 'g':
+	    if ( g->groupname ) free( g->groupname );
+	    g->groupname = ch_strdup( optarg );
+	    break;
 	case 'V':
 	    (g->version)++;
 	    break;
--- ./servers/slurpd/globals.h.	2004-04-19 00:45:20 +0400
+++ ./servers/slurpd/globals.h	2004-04-19 00:46:32 +0400
@@ -55,6 +55,12 @@
     Ri **replicas;
     /* Directory where our replica files are written/read */
     char *slurpd_rdir;
+    /* Directory to chroot */
+    char *sandbox;
+    /* Effective user name */
+    char *username;
+    /* Effective group name */
+    char *groupname;
     /* Name of slurpd status file (timestamp of last replog */
     char slurpd_status_file[ MAXPATHLEN ];
     /* Name of the replication log slapd is writing (and we are reading) */
--- ./servers/slurpd/main.c.	2004-04-19 00:45:28 +0400
+++ ./servers/slurpd/main.c	2004-04-19 00:46:33 +0400
@@ -152,6 +152,23 @@
 		}
     }
 
+    if ( sglob->sandbox ) {
+	    if ( chdir( sglob->sandbox ) ) {
+		    perror("chdir");
+		    rc = 1;
+		    goto stop;
+	    }
+	    if ( chroot( sglob->sandbox ) ) {
+		    perror("chroot");
+		    rc = 1;
+		    goto stop;
+	    }
+    }
+
+    if ( sglob->username != NULL || sglob->groupname !=NULL ) {
+	    slap_init_user( sglob->username, sglob->groupname );
+    }
+
 #ifdef NEW_LOGGING
 	LDAP_LOG( SLURPD, INFO, "%s\n", Versionstr, 0, 0 );
 #else
--- ./servers/slurpd/user.c.	2004-04-19 00:45:34 +0400
+++ ./servers/slurpd/user.c	2004-04-19 00:46:34 +0400
@@ -0,0 +1,202 @@
+/*
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+/* user.c - set user id, group id and group access list
+ *
+ * Copyright 1999 by PM Lashley.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted only
+ * as authorized by the OpenLDAP Public License.  A copy of this
+ * license is available at http://www.OpenLDAP.org/license.html or
+ * in file LICENSE in the top-level directory of the distribution.
+ *
+ *
+ * Igor Muratov <migor@altlinux.org>
+ * - This is acopy of servers/slapd/user.c file
+ *
+*/
+
+#include "portable.h"
+
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+
+#include <stdio.h>
+
+#include <ac/stdlib.h>
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#include <ac/ctype.h>
+#include <ac/unistd.h>
+
+#include "slurp.h"
+
+/*
+ * Set real and effective user id and group id, and group access list
+ * The user and group arguments are freed.
+ */
+
+void
+slap_init_user( char *user, char *group )
+{
+    uid_t	uid = 0;
+    gid_t	gid = 0;
+    int		got_uid = 0, got_gid = 0;
+
+    if ( user ) {
+	struct passwd *pwd;
+	if ( isdigit( (unsigned char) *user )) {
+	    got_uid = 1;
+	    uid = atoi( user );
+#ifdef HAVE_GETPWUID
+	    pwd = getpwuid( uid );
+	    goto did_getpw;
+#else
+	    free( user );
+	    user = NULL;
+#endif
+	} else {
+	    pwd = getpwnam( user );
+	did_getpw:
+	    if ( pwd == NULL ) {
+#ifdef NEW_LOGGING
+		    LDAP_LOG( SLURPD, INFO, 
+				"slap_init_user: No passwd entry for user %s\n", user, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_ANY, "No passwd entry for user %s\n",
+		       user, 0, 0 );
+#endif
+
+		exit( EXIT_FAILURE );
+	    }
+	    if ( got_uid ) {
+		free( user );
+		user = (pwd != NULL ? ch_strdup( pwd->pw_name ) : NULL);
+	    } else {
+		got_uid = 1;
+		uid = pwd->pw_uid;
+	    }
+	    got_gid = 1;
+	    gid = pwd->pw_gid;
+#ifdef HAVE_ENDPWENT
+	    endpwent();
+#endif
+	}
+    }
+
+    if ( group ) {
+	struct group *grp;
+	if ( isdigit( (unsigned char) *group )) {
+	    gid = atoi( group );
+#ifdef HAVE_GETGRGID
+	    grp = getgrgid( gid );
+	    goto did_group;
+#endif
+	} else {
+	    grp = getgrnam( group );
+	    if ( grp != NULL )
+		gid = grp->gr_gid;
+	did_group:
+	    if ( grp == NULL ) {
+#ifdef NEW_LOGGING
+		LDAP_LOG( SLURPD, INFO, 
+			"slap_init_user: No group entry for group %s\n", group, 0, 0 );
+#else
+		Debug( LDAP_DEBUG_ANY, "No group entry for group %s\n",
+		       group, 0, 0 );
+#endif
+
+		exit( EXIT_FAILURE );
+	    }
+	}
+	free( group );
+	got_gid = 1;
+    }
+
+    if ( user ) {
+	if ( getuid() == 0 && initgroups( user, gid ) != 0 ) {
+#ifdef NEW_LOGGING
+	    LDAP_LOG( SLURPD, INFO,
+			"slap_init_user: Could not set the group access (gid) list.\n", 
+			0, 0, 0 );
+#else
+	    Debug( LDAP_DEBUG_ANY,
+		   "Could not set the group access (gid) list\n", 0, 0, 0 );
+#endif
+
+	    exit( EXIT_FAILURE );
+	}
+	free( user );
+    }
+
+#ifdef HAVE_ENDGRENT
+    endgrent();
+#endif
+
+    if ( got_gid ) {
+	if ( setgid( gid ) != 0 ) {
+#ifdef NEW_LOGGING
+	    LDAP_LOG( SLURPD, INFO, 
+			"slap_init_user: could not set real group id to %d\n", 
+			(int)gid, 0, 0);
+#else
+	    Debug( LDAP_DEBUG_ANY, "Could not set real group id to %d\n",
+		       (int) gid, 0, 0 );
+#endif
+
+	    exit( EXIT_FAILURE );
+	}
+#ifdef HAVE_SETEGID
+	if ( setegid( gid ) != 0 ) {
+#ifdef NEW_LOGGING
+	    LDAP_LOG( SLURPD, INFO, 
+		   "slap_init_user: Could not set effective group id to %d\n",
+		   (int)gid, 0, 0);
+#else
+	    Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
+		       (int) gid, 0, 0 );
+#endif
+
+	    exit( EXIT_FAILURE );
+	}
+#endif
+    }
+
+    if ( got_uid ) {
+	if ( setuid( uid ) != 0 ) {
+#ifdef NEW_LOGGING
+	    LDAP_LOG( SLURPD, INFO, 
+			"slap_init_user: Could not set real user id to %d\n", 
+			(int)uid, 0, 0 );
+#else
+	    Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
+		       (int) uid, 0, 0 );
+#endif
+
+	    exit( EXIT_FAILURE );
+	}
+#ifdef HAVE_SETEUID
+	if ( seteuid( uid ) != 0 ) {
+#ifdef NEW_LOGGING
+	    LDAP_LOG( SLURPD, INFO, 
+			"slap_init_user: Could not set effective user id to %d\n", 
+			(int)uid, 0, 0 );
+#else
+	    Debug( LDAP_DEBUG_ANY, "Could not set effective user id to %d\n",
+		       (int) uid, 0, 0 );
+#endif
+
+	    exit( EXIT_FAILURE );
+	}
+#endif
+    }
+}
+
+#endif /* HAVE_PWD_H && HAVE_GRP_H */