Репозитории ALT
S: | 2.6.4-alt1 |
5.1: | 2.3.43-alt2.3 |
4.1: | 2.3.41-alt3.M41.3 |
4.0: | 2.3.35-alt1.M40.1 |
3.0: | 2.2.27-alt1.1 |
Группа :: Система/Серверы
Пакет: openldap
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: openldap-2.1.29-alt-chroot.patch
Скачать
Скачать
--- ./servers/slurpd/Makefile.in. 2004-04-19 00:44:58 +0400
+++ ./servers/slurpd/Makefile.in 2004-04-19 00:46:34 +0400
@@ -21,11 +21,11 @@
NT_SRCS = nt_svc.c
NT_OBJS = nt_svc.o ../../libraries/liblutil/slapdmsg.res
-SRCS = admin.c args.c ch_malloc.c config.c \
+SRCS = admin.c args.c ch_malloc.c config.c user.c \
fm.c globals.c ldap_op.c lock.c main.c re.c \
reject.c replica.c replog.c ri.c rq.c sanity.c st.c \
$(@PLAT@_SRCS)
-OBJS = admin.o args.o ch_malloc.o config.o \
+OBJS = admin.o args.o ch_malloc.o config.o user.o \
fm.o globals.o ldap_op.o lock.o main.o re.o \
reject.o replica.o replog.o ri.o rq.o sanity.o st.o \
$(@PLAT@_OBJS)
--- ./servers/slurpd/args.c. 2004-04-19 00:45:07 +0400
+++ ./servers/slurpd/args.c 2004-04-19 00:46:32 +0400
@@ -56,7 +56,8 @@
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
fprintf( stderr, "\t\t[-t tmp-dir] [-o]\n" );
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
- fprintf( stderr, "\t\t[-n service-name]\n" );
+ fprintf( stderr, "\t\t[-n service-name] [-c chroot-dir]\n" );
+ fprintf( stderr, "\t\t[-u user] [-g group]\n" );
}
@@ -80,7 +81,7 @@
g->myname = strdup( g->myname + 1 );
}
- while ( (i = getopt( argc, argv, "d:f:n:or:t:V" )) != EOF ) {
+ while ( (i = getopt( argc, argv, "d:f:n:or:t:c:u:g:V" )) != EOF ) {
switch ( i ) {
case 'd': /* set debug level and 'do not detach' flag */
g->no_detach = 1;
@@ -140,6 +141,18 @@
snprintf(g->slurpd_rdir, sz,
"%s" LDAP_DIRSEP "replica", optarg);
} break;
+ case 'c':
+ if ( g->sandbox ) free( g->sandbox );
+ g->sandbox = ch_strdup( optarg );
+ break;
+ case 'u':
+ if ( g->username ) free( g->username );
+ g->username = ch_strdup( optarg );
+ break;
+ case 'g':
+ if ( g->groupname ) free( g->groupname );
+ g->groupname = ch_strdup( optarg );
+ break;
case 'V':
(g->version)++;
break;
--- ./servers/slurpd/globals.h. 2004-04-19 00:45:20 +0400
+++ ./servers/slurpd/globals.h 2004-04-19 00:46:32 +0400
@@ -55,6 +55,12 @@
Ri **replicas;
/* Directory where our replica files are written/read */
char *slurpd_rdir;
+ /* Directory to chroot */
+ char *sandbox;
+ /* Effective user name */
+ char *username;
+ /* Effective group name */
+ char *groupname;
/* Name of slurpd status file (timestamp of last replog */
char slurpd_status_file[ MAXPATHLEN ];
/* Name of the replication log slapd is writing (and we are reading) */
--- ./servers/slurpd/main.c. 2004-04-19 00:45:28 +0400
+++ ./servers/slurpd/main.c 2004-04-19 00:46:33 +0400
@@ -152,6 +152,23 @@
}
}
+ if ( sglob->sandbox ) {
+ if ( chdir( sglob->sandbox ) ) {
+ perror("chdir");
+ rc = 1;
+ goto stop;
+ }
+ if ( chroot( sglob->sandbox ) ) {
+ perror("chroot");
+ rc = 1;
+ goto stop;
+ }
+ }
+
+ if ( sglob->username != NULL || sglob->groupname !=NULL ) {
+ slap_init_user( sglob->username, sglob->groupname );
+ }
+
#ifdef NEW_LOGGING
LDAP_LOG( SLURPD, INFO, "%s\n", Versionstr, 0, 0 );
#else
--- ./servers/slurpd/user.c. 2004-04-19 00:45:34 +0400
+++ ./servers/slurpd/user.c 2004-04-19 00:46:34 +0400
@@ -0,0 +1,202 @@
+/*
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+/* user.c - set user id, group id and group access list
+ *
+ * Copyright 1999 by PM Lashley.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted only
+ * as authorized by the OpenLDAP Public License. A copy of this
+ * license is available at http://www.OpenLDAP.org/license.html or
+ * in file LICENSE in the top-level directory of the distribution.
+ *
+ *
+ * Igor Muratov <migor@altlinux.org>
+ * - This is acopy of servers/slapd/user.c file
+ *
+*/
+
+#include "portable.h"
+
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+
+#include <stdio.h>
+
+#include <ac/stdlib.h>
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#include <ac/ctype.h>
+#include <ac/unistd.h>
+
+#include "slurp.h"
+
+/*
+ * Set real and effective user id and group id, and group access list
+ * The user and group arguments are freed.
+ */
+
+void
+slap_init_user( char *user, char *group )
+{
+ uid_t uid = 0;
+ gid_t gid = 0;
+ int got_uid = 0, got_gid = 0;
+
+ if ( user ) {
+ struct passwd *pwd;
+ if ( isdigit( (unsigned char) *user )) {
+ got_uid = 1;
+ uid = atoi( user );
+#ifdef HAVE_GETPWUID
+ pwd = getpwuid( uid );
+ goto did_getpw;
+#else
+ free( user );
+ user = NULL;
+#endif
+ } else {
+ pwd = getpwnam( user );
+ did_getpw:
+ if ( pwd == NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: No passwd entry for user %s\n", user, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "No passwd entry for user %s\n",
+ user, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+ if ( got_uid ) {
+ free( user );
+ user = (pwd != NULL ? ch_strdup( pwd->pw_name ) : NULL);
+ } else {
+ got_uid = 1;
+ uid = pwd->pw_uid;
+ }
+ got_gid = 1;
+ gid = pwd->pw_gid;
+#ifdef HAVE_ENDPWENT
+ endpwent();
+#endif
+ }
+ }
+
+ if ( group ) {
+ struct group *grp;
+ if ( isdigit( (unsigned char) *group )) {
+ gid = atoi( group );
+#ifdef HAVE_GETGRGID
+ grp = getgrgid( gid );
+ goto did_group;
+#endif
+ } else {
+ grp = getgrnam( group );
+ if ( grp != NULL )
+ gid = grp->gr_gid;
+ did_group:
+ if ( grp == NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: No group entry for group %s\n", group, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "No group entry for group %s\n",
+ group, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+ }
+ free( group );
+ got_gid = 1;
+ }
+
+ if ( user ) {
+ if ( getuid() == 0 && initgroups( user, gid ) != 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: Could not set the group access (gid) list.\n",
+ 0, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "Could not set the group access (gid) list\n", 0, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+ free( user );
+ }
+
+#ifdef HAVE_ENDGRENT
+ endgrent();
+#endif
+
+ if ( got_gid ) {
+ if ( setgid( gid ) != 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: could not set real group id to %d\n",
+ (int)gid, 0, 0);
+#else
+ Debug( LDAP_DEBUG_ANY, "Could not set real group id to %d\n",
+ (int) gid, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+#ifdef HAVE_SETEGID
+ if ( setegid( gid ) != 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: Could not set effective group id to %d\n",
+ (int)gid, 0, 0);
+#else
+ Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
+ (int) gid, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+#endif
+ }
+
+ if ( got_uid ) {
+ if ( setuid( uid ) != 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: Could not set real user id to %d\n",
+ (int)uid, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
+ (int) uid, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+#ifdef HAVE_SETEUID
+ if ( seteuid( uid ) != 0 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( SLURPD, INFO,
+ "slap_init_user: Could not set effective user id to %d\n",
+ (int)uid, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_ANY, "Could not set effective user id to %d\n",
+ (int) uid, 0, 0 );
+#endif
+
+ exit( EXIT_FAILURE );
+ }
+#endif
+ }
+}
+
+#endif /* HAVE_PWD_H && HAVE_GRP_H */