[packages/dhcp_probe.git] / dhcp_probe-virta-03-drop-privs.patch

##dhcp-probe-03-drop-privs.patch - add option to change uid after setup
--- src/dhcp_probe.c.02	2009-08-16 12:31:22.000000000 +0300
+++ src/dhcp_probe.c	2009-08-16 13:47:29.000000000 +0300
@@ -26,6 +26,9 @@
 #include "report.h"
 #include "utils.h"
 
+#include <sys/types.h>
+#include <pwd.h>
+
 #ifndef lint
 static const char rcsid[] = "dhcp_probe version " VERSION;
 static const char copyright[] = "Copyright 2000-2008, The Trustees of Princeton University.  All rights reserved.";
@@ -50,6 +53,8 @@
 int snaplen = CAPTURE_BUFSIZE;
 int socket_receive_timeout_feature = 0;
 int keep_pcap = 0;
+int drop_privs = 0;
+char *username = NULL;
 
 char *prog = NULL;
 char *logfile_name = NULL;
@@ -179,6 +184,40 @@
 	return packets_recv;
 }
 
+/* drop privileges */
+void 
+drop_privileges(const char *username)
+{
+	struct passwd *pw;
+	pw = getpwnam(username);
+	if (pw == NULL) {
+		report(LOG_ERR, "getpwnam: %s", get_errmsg());
+		my_exit(1, 1, 1);
+	}
+	if (debug > 1)
+		report(LOG_INFO, "changing to uid %d gid %d", pw->pw_uid, pw->pw_gid);
+	
+	if (setregid(pw->pw_gid, pw->pw_gid)) {
+		report(LOG_ERR, "setregid: %s", get_errmsg());
+		my_exit(1, 1, 1);
+	}
+	if (setreuid(pw->pw_uid, pw->pw_uid)) {
+		report(LOG_ERR, "setreuid: %s", get_errmsg());
+		my_exit(1, 1, 1);
+	}
+}
+
+void write_pidfile(void)
+{
+	FILE *pid_fp;
+	if ((pid_fp = open_for_writing(pid_file)) == NULL) {
+		report(LOG_ERR, "could not open pid file %s for writing", pid_file);
+		my_exit(1, 0, 1);
+	} else {
+		fprintf(pid_fp, "%d\n", (int) getpid());
+		fclose(pid_fp);
+	}
+}
 
 int 
 main(int argc, char **argv)
@@ -188,7 +227,6 @@
 	extern char *optarg;
 	extern int optind, opterr, optopt;
 	struct sigaction sa;
-	FILE *pid_fp;
 	char *cwd = CWD;
 
 	int write_packet_len;
@@ -208,7 +246,7 @@
 	else 
 		prog = argv[0];
 
-	while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tvw:")) != EOF) {
+	while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tu:vw:")) != EOF) {
 		switch (c) {
 			case 'c':
 				if (optarg[0] != '/') {
@@ -283,6 +321,10 @@
 				}
 				break;
 			}
+			case 'u':
+				drop_privs = 1;
+				username = optarg;
+				break;
 			case 'T':
 				socket_receive_timeout_feature = 1;
 				break;
@@ -351,16 +393,6 @@
 		my_exit(1, 0, 1);
 	}
 
-
-	/* write pid file as soon as possible after (possibly) forking */
-	if ((pid_fp = open_for_writing(pid_file)) == NULL) {
-		report(LOG_ERR, "could not open pid file %s for writing", pid_file);
-		my_exit(1, 0, 1);
-	} else {
-		fprintf(pid_fp, "%d\n", (int) getpid());
-		fclose(pid_fp);
-	}
-
 	if (! read_configfile(config_file)) {
 		my_exit(1, 1, 1);
 	}
@@ -535,6 +567,12 @@
 	if (keep_pcap)
 		init_pcap(need_promiscuous(), netmask);
 
+	if (drop_privs)
+		drop_privileges(username);
+
+	/* write the pid file after dropping privileges to be able to remove it later */
+	write_pidfile();
+
 	while (1) { /* MAIN EVENT LOOP */
 		libnet_t *l;						/* to iterate through libnet context queue */
 		/* struct pcap_stat ps;	*/			/* to hold pcap stats */
@@ -1189,6 +1227,7 @@
 	fprintf(stderr, "   -Q vlan_id                     tag outgoing frames with an 802.1Q VLAN ID\n");
 	fprintf(stderr, "   -s capture_bufsize             override default capture bufsize [%d]\n", CAPTURE_BUFSIZE);
 	fprintf(stderr, "   -T                             enable the socket receive timeout feature\n");
+	fprintf(stderr, "   -u username                    change uid after setup (use with -k\n");
 	fprintf(stderr, "   -v                             display version number then exit\n");
 	fprintf(stderr, "   -w cwd                         override default working directory [%s]\n", CWD);
 	fprintf(stderr, "   interface_name                 name of ethernet interface\n");
Commit	Line	Data
0d9e0091 JR	1	##dhcp-probe-03-drop-privs.patch - add option to change uid after setup
	2	--- src/dhcp_probe.c.02 2009-08-16 12:31:22.000000000 +0300
	3	+++ src/dhcp_probe.c 2009-08-16 13:47:29.000000000 +0300
	4	@@ -26,6 +26,9 @@
	5	#include "report.h"
	6	#include "utils.h"
	7
	8	+#include <sys/types.h>
	9	+#include <pwd.h>
	10	+
	11	#ifndef lint
	12	static const char rcsid[] = "dhcp_probe version " VERSION;
	13	static const char copyright[] = "Copyright 2000-2008, The Trustees of Princeton University. All rights reserved.";
	14	@@ -50,6 +53,8 @@
	15	int snaplen = CAPTURE_BUFSIZE;
	16	int socket_receive_timeout_feature = 0;
	17	int keep_pcap = 0;
	18	+int drop_privs = 0;
	19	+char *username = NULL;
	20
	21	char *prog = NULL;
	22	char *logfile_name = NULL;
	23	@@ -179,6 +184,40 @@
	24	return packets_recv;
	25	}
	26
	27	+/* drop privileges */
	28	+void
	29	+drop_privileges(const char *username)
	30	+{
	31	+ struct passwd *pw;
	32	+ pw = getpwnam(username);
	33	+ if (pw == NULL) {
	34	+ report(LOG_ERR, "getpwnam: %s", get_errmsg());
	35	+ my_exit(1, 1, 1);
	36	+ }
	37	+ if (debug > 1)
	38	+ report(LOG_INFO, "changing to uid %d gid %d", pw->pw_uid, pw->pw_gid);
	39	+
	40	+ if (setregid(pw->pw_gid, pw->pw_gid)) {
	41	+ report(LOG_ERR, "setregid: %s", get_errmsg());
	42	+ my_exit(1, 1, 1);
	43	+ }
	44	+ if (setreuid(pw->pw_uid, pw->pw_uid)) {
	45	+ report(LOG_ERR, "setreuid: %s", get_errmsg());
	46	+ my_exit(1, 1, 1);
	47	+ }
	48	+}
	49	+
	50	+void write_pidfile(void)
	51	+{
	52	+ FILE *pid_fp;
	53	+ if ((pid_fp = open_for_writing(pid_file)) == NULL) {
	54	+ report(LOG_ERR, "could not open pid file %s for writing", pid_file);
	55	+ my_exit(1, 0, 1);
	56	+ } else {
	57	+ fprintf(pid_fp, "%d\n", (int) getpid());
	58	+ fclose(pid_fp);
	59	+ }
	60	+}
	61
	62	int
	63	main(int argc, char **argv)
	64	@@ -188,7 +227,6 @@
65	extern char *optarg;
66	extern int optind, opterr, optopt;
67	struct sigaction sa;
68	- FILE *pid_fp;
69	char *cwd = CWD;
70
71	int write_packet_len;
72	@@ -208,7 +246,7 @@
73	else
74	prog = argv[0];
75
76	- while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tvw:")) != EOF) {
77	+ while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tu:vw:")) != EOF) {
78	switch (c) {
79	case 'c':
80	if (optarg[0] != '/') {
81	@@ -283,6 +321,10 @@
82	}
83	break;
84	}
85	+ case 'u':
86	+ drop_privs = 1;
87	+ username = optarg;
88	+ break;
89	case 'T':
90	socket_receive_timeout_feature = 1;
91	break;
92	@@ -351,16 +393,6 @@
93	my_exit(1, 0, 1);
94	}
95
96	-
97	- /* write pid file as soon as possible after (possibly) forking */
98	- if ((pid_fp = open_for_writing(pid_file)) == NULL) {
99	- report(LOG_ERR, "could not open pid file %s for writing", pid_file);
100	- my_exit(1, 0, 1);
101	- } else {
102	- fprintf(pid_fp, "%d\n", (int) getpid());
103	- fclose(pid_fp);
104	- }
105	-
106	if (! read_configfile(config_file)) {
107	my_exit(1, 1, 1);
108	}
109	@@ -535,6 +567,12 @@
110	if (keep_pcap)
111	init_pcap(need_promiscuous(), netmask);
112
113	+ if (drop_privs)
114	+ drop_privileges(username);
115	+
116	+ /* write the pid file after dropping privileges to be able to remove it later */
117	+ write_pidfile();
118	+
119	while (1) { /* MAIN EVENT LOOP */
120	libnet_t l; / to iterate through libnet context queue */
121	/* struct pcap_stat ps; / / to hold pcap stats */
122	@@ -1189,6 +1227,7 @@
123	fprintf(stderr, " -Q vlan_id tag outgoing frames with an 802.1Q VLAN ID\n");
124	fprintf(stderr, " -s capture_bufsize override default capture bufsize [%d]\n", CAPTURE_BUFSIZE);
125	fprintf(stderr, " -T enable the socket receive timeout feature\n");
126	+ fprintf(stderr, " -u username change uid after setup (use with -k\n");
127	fprintf(stderr, " -v display version number then exit\n");
128	fprintf(stderr, " -w cwd override default working directory [%s]\n", CWD);
129	fprintf(stderr, " interface_name name of ethernet interface\n");