When running in the reduced privileges in the local socket control mod

make sure we also change ownership of the socket to match ownership of the proxy itself. This allows to run proxy with the same ID as the SER/OpenSER. Reported by: Marcus Better
miconda · Jun 23, 2008 · fd64f99 · fd64f99
1 parent b764962
commit fd64f99
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 59 deletions.
diff --git a/main.c b/main.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: main.c,v 1.76 2008/06/17 08:34:53 sobomax Exp $
+ * $Id: main.c,v 1.77 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -42,9 +42,11 @@
 #include <assert.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <limits.h>
 #include <netdb.h>
 #include <poll.h>
+#include <pwd.h>
 #include <sched.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -123,6 +125,8 @@ init_config(struct cfg *cf, int argc, char **argv)
 {
     int ch, i;
     char *bh[2], *bh6[2], *cp;
+    struct passwd *pp;
+    struct group *gp;
 
     bh[0] = bh[1] = bh6[0] = bh6[1] = NULL;
 
@@ -248,6 +252,22 @@ init_config(struct cfg *cf, int argc, char **argv)
 		cp++;
 	    }
 	    cf->run_gname = cp;
+	    cf->run_uid = -1;
+	    cf->run_gid = -1;
+	    if (cf->run_uname != NULL) {
+		pp = getpwnam(cf->run_uname);
+		if (pp == NULL)
+		    err(1, "can't find ID for the user: %s", cf->run_uname);
+		cf->run_uid = pp->pw_uid;
+		if (cf->run_gname == NULL)
+		    cf->run_gid = pp->pw_gid;
+	    }
+	    if (cf->run_gname != NULL) {
+		gp = getgrnam(cf->run_gname);
+		if (gp == NULL)
+		    err(1, "can't find ID for the group: %s", cf->run_gname);
+		cf->run_gid = gp->gr_gid;
+	    }
 	    break;
 
 	case 'F':
@@ -389,6 +409,9 @@ init_controlfd(struct cfg *cf)
 	  sizeof controlfd);
 	if (bind(controlfd, sstosa(&ifsun), sizeof ifsun) < 0)
 	    err(1, "can't bind to a socket");
+	if ((cf->run_uname != NULL || cf->run_gname != NULL) &&
+	  chown(cmd_sock, cf->run_uid, cf->run_gid) == -1)
+	    err(1, "can't set owner of the socket");
 	if (listen(controlfd, 32) != 0)
 	    err(1, "can't listen on a socket");
     } else {
@@ -763,7 +786,7 @@ main(int argc, char **argv)
     signal(SIGUSR2, fatsignal);
 
     if (cf.run_uname != NULL || cf.run_gname != NULL) {
-	if (drop_privileges(&cf, cf.run_uname, cf.run_gname) != 0) {
+	if (drop_privileges(&cf) != 0) {
 	    rtpp_log_ewrite(RTPP_LOG_ERR, cf.glog,
 	      "can't switch to requested user/group");
 	    exit(1);

diff --git a/rtpp_defines.h b/rtpp_defines.h
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: rtpp_defines.h,v 1.13 2008/06/16 22:18:55 sobomax Exp $
+ * $Id: rtpp_defines.h,v 1.14 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -123,6 +123,9 @@ struct cfg {
     rtpp_ttl_mode ttl_mode;
 
     struct rtpp_timeout_handler timeout_handler;
+
+    uid_t run_uid;
+    gid_t run_gid;
 };
 
 #endif
diff --git a/rtpp_network.c b/rtpp_network.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: rtpp_network.c,v 1.6 2008/03/18 02:26:29 sobomax Exp $
+ * $Id: rtpp_network.c,v 1.7 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -172,37 +172,19 @@ seedrandom(void)
 }
 
 int
-drop_privileges(struct cfg *cf, char *uname, char *gname)
+drop_privileges(struct cfg *cf)
 {
-    struct passwd *pp;
-    struct group *gp;
 
-    if (gname != NULL) {
-	gp = getgrnam(gname);
-	if (gp == NULL) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't find ID for the group: %s", gname);
-	    return -1;
-	}
-	if (setgid(gp->gr_gid) != 0) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", gp->gr_gid);
+    if (cf->run_gname != NULL) {
+	if (setgid(cf->run_gid) != 0) {
+	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", cf->run_gid);
 	    return -1;
 	}
     }
-    if (uname == NULL)
+    if (cf->run_uname == NULL)
 	return 0;
-    pp = getpwnam(uname);
-    if (pp == NULL) {
-	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't find ID for the user: %s", uname);
-	return -1;
-    }
-    if (gname == NULL) {
-	if (setgid(pp->pw_gid) != 0) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", pp->pw_gid);
-	    return -1;
-	}
-    }
-    if (setuid(pp->pw_uid) != 0) {
-	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current user ID: %d", pp->pw_uid);
+    if (setuid(cf->run_uid) != 0) {
+	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current user ID: %d", cf->run_uid);
 	return -1;
     }
     return 0;

diff --git a/rtpp_network.h b/rtpp_network.h
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: rtpp_network.h,v 1.6 2008/04/01 22:32:03 sobomax Exp $
+ * $Id: rtpp_network.h,v 1.7 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -53,7 +53,7 @@ const char *addr2char(struct sockaddr *);
 double getctime(void);
 int resolve(struct sockaddr *, int, const char *, const char *, int);
 void seedrandom(void);
-int drop_privileges(struct cfg *, char *, char *);
+int drop_privileges(struct cfg *);
 
 /* Stripped down version of sockaddr_in* for saving space */
 struct sockaddr_in4_s {

diff --git a/rtpp_util.c b/rtpp_util.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: rtpp_util.c,v 1.6 2008/03/18 02:26:29 sobomax Exp $
+ * $Id: rtpp_util.c,v 1.7 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -172,37 +172,19 @@ seedrandom(void)
 }
 
 int
-drop_privileges(struct cfg *cf, char *uname, char *gname)
+drop_privileges(struct cfg *cf)
 {
-    struct passwd *pp;
-    struct group *gp;
 
-    if (gname != NULL) {
-	gp = getgrnam(gname);
-	if (gp == NULL) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't find ID for the group: %s", gname);
-	    return -1;
-	}
-	if (setgid(gp->gr_gid) != 0) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", gp->gr_gid);
+    if (cf->run_gname != NULL) {
+	if (setgid(cf->run_gid) != 0) {
+	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", cf->run_gid);
 	    return -1;
 	}
     }
-    if (uname == NULL)
+    if (cf->run_uname == NULL)
 	return 0;
-    pp = getpwnam(uname);
-    if (pp == NULL) {
-	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't find ID for the user: %s", uname);
-	return -1;
-    }
-    if (gname == NULL) {
-	if (setgid(pp->pw_gid) != 0) {
-	    rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current group ID: %d", pp->pw_gid);
-	    return -1;
-	}
-    }
-    if (setuid(pp->pw_uid) != 0) {
-	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current user ID: %d", pp->pw_uid);
+    if (setuid(cf->run_uid) != 0) {
+	rtpp_log_ewrite(RTPP_LOG_ERR, cf->glog, "can't set current user ID: %d", cf->run_uid);
 	return -1;
     }
     return 0;

diff --git a/rtpp_util.h b/rtpp_util.h
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: rtpp_util.h,v 1.6 2008/04/01 22:32:03 sobomax Exp $
+ * $Id: rtpp_util.h,v 1.7 2008/06/23 07:33:35 sobomax Exp $
  *
  */
 
@@ -53,7 +53,7 @@ const char *addr2char(struct sockaddr *);
 double getctime(void);
 int resolve(struct sockaddr *, int, const char *, const char *, int);
 void seedrandom(void);
-int drop_privileges(struct cfg *, char *, char *);
+int drop_privileges(struct cfg *);
 
 /* Stripped down version of sockaddr_in* for saving space */
 struct sockaddr_in4_s {