dhcp_probe-virta-03-drop-privs.patch

   1 ##dhcp-probe-03-drop-privs.patch - add option to change uid after setup
   2 --- src/dhcp_probe.c.02 2009-08-16 12:31:22.000000000 +0300
   3 +++ src/dhcp_probe.c    2009-08-16 13:47:29.000000000 +0300
   4 @@ -26,6 +26,9 @@
   5  #include "report.h"
   6  #include "utils.h"
   7
   8 +#include <sys/types.h>
   9 +#include <pwd.h>
  10 +
  11  #ifndef lint
  12  static const char rcsid[] = "dhcp_probe version " VERSION;
  13  static const char copyright[] = "Copyright 2000-2008, The Trustees of Princeton University.  All rights reserved.";
  14 @@ -50,6 +53,8 @@
  15  int snaplen = CAPTURE_BUFSIZE;
  16  int socket_receive_timeout_feature = 0;
  17  int keep_pcap = 0;
  18 +int drop_privs = 0;
  19 +char *username = NULL;
  20
  21  char *prog = NULL;
  22  char *logfile_name = NULL;
  23 @@ -179,6 +184,40 @@
  24         return packets_recv;
  25  }
  26
  27 +/* drop privileges */
  28 +void
  29 +drop_privileges(const char *username)
  30 +{
  31 +       struct passwd *pw;
  32 +       pw = getpwnam(username);
  33 +       if (pw == NULL) {
  34 +               report(LOG_ERR, "getpwnam: %s", get_errmsg());
  35 +               my_exit(1, 1, 1);
  36 +       }
  37 +       if (debug > 1)
  38 +               report(LOG_INFO, "changing to uid %d gid %d", pw->pw_uid, pw->pw_gid);
  39 +
  40 +       if (setregid(pw->pw_gid, pw->pw_gid)) {
  41 +               report(LOG_ERR, "setregid: %s", get_errmsg());
  42 +               my_exit(1, 1, 1);
  43 +       }
  44 +       if (setreuid(pw->pw_uid, pw->pw_uid)) {
  45 +               report(LOG_ERR, "setreuid: %s", get_errmsg());
  46 +               my_exit(1, 1, 1);
  47 +       }
  48 +}
  49 +
  50 +void write_pidfile(void)
  51 +{
  52 +       FILE *pid_fp;
  53 +       if ((pid_fp = open_for_writing(pid_file)) == NULL) {
  54 +               report(LOG_ERR, "could not open pid file %s for writing", pid_file);
  55 +               my_exit(1, 0, 1);
  56 +       } else {
  57 +               fprintf(pid_fp, "%d\n", (int) getpid());
  58 +               fclose(pid_fp);
  59 +       }
  60 +}
  61
  62  int
  63  main(int argc, char **argv)
  64 @@ -188,7 +227,6 @@
  65         extern char *optarg;
  66         extern int optind, opterr, optopt;
  67         struct sigaction sa;
  68 -       FILE *pid_fp;
  69         char *cwd = CWD;
  70
  71         int write_packet_len;
  72 @@ -208,7 +246,7 @@
  73         else
  74                 prog = argv[0];
  75
  76 -       while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tvw:")) != EOF) {
  77 +       while ((c = getopt(argc, argv, "c:d:fhkl:o:p:Q:s:Tu:vw:")) != EOF) {
  78                 switch (c) {
  79                         case 'c':
  80                                 if (optarg[0] != '/') {
  81 @@ -283,6 +321,10 @@
  82                                 }
  83                                 break;
  84                         }
  85 +                       case 'u':
  86 +                               drop_privs = 1;
  87 +                               username = optarg;
  88 +                               break;
  89                         case 'T':
  90                                 socket_receive_timeout_feature = 1;
  91                                 break;
  92 @@ -351,16 +393,6 @@
  93                 my_exit(1, 0, 1);
  94         }
  95
  96 -
  97 -       /* write pid file as soon as possible after (possibly) forking */
  98 -       if ((pid_fp = open_for_writing(pid_file)) == NULL) {
  99 -               report(LOG_ERR, "could not open pid file %s for writing", pid_file);
 100 -               my_exit(1, 0, 1);
 101 -       } else {
 102 -               fprintf(pid_fp, "%d\n", (int) getpid());
 103 -               fclose(pid_fp);
 104 -       }
 105 -
 106         if (! read_configfile(config_file)) {
 107                 my_exit(1, 1, 1);
 108         }
 109 @@ -535,6 +567,12 @@
 110         if (keep_pcap)
 111                 init_pcap(need_promiscuous(), netmask);
 112
 113 +       if (drop_privs)
 114 +               drop_privileges(username);
 115 +
 116 +       /* write the pid file after dropping privileges to be able to remove it later */
 117 +       write_pidfile();
 118 +
 119         while (1) { /* MAIN EVENT LOOP */
 120                 libnet_t *l;                                            /* to iterate through libnet context queue */
 121                 /* struct pcap_stat ps; */                      /* to hold pcap stats */
 122 @@ -1189,6 +1227,7 @@
 123         fprintf(stderr, "   -Q vlan_id                     tag outgoing frames with an 802.1Q VLAN ID\n");
 124         fprintf(stderr, "   -s capture_bufsize             override default capture bufsize [%d]\n", CAPTURE_BUFSIZE);
 125         fprintf(stderr, "   -T                             enable the socket receive timeout feature\n");
 126 +       fprintf(stderr, "   -u username                    change uid after setup (use with -k\n");
 127         fprintf(stderr, "   -v                             display version number then exit\n");
 128         fprintf(stderr, "   -w cwd                         override default working directory [%s]\n", CWD);
 129         fprintf(stderr, "   interface_name                 name of ethernet interface\n");