diff options
author | trhodes <trhodes@FreeBSD.org> | 2007-03-19 12:12:53 +0000 |
---|---|---|
committer | trhodes <trhodes@FreeBSD.org> | 2007-03-19 12:12:53 +0000 |
commit | ec817b37e0128dfcb48aea5f597e6dca063aa786 (patch) | |
tree | 9de8f7ca990514482825808908732d101866f13a /usr.sbin/daemon | |
parent | 4aa02da9fa41be3061238274ab7450d4f72b60ac (diff) | |
download | FreeBSD-src-ec817b37e0128dfcb48aea5f597e6dca063aa786.zip FreeBSD-src-ec817b37e0128dfcb48aea5f597e6dca063aa786.tar.gz |
Improve previous commit by using setusercontext(3) and removing the group
option. Bump doc date for manual page changes.
Reviewed by: rwatson, ru, will (older version)
Diffstat (limited to 'usr.sbin/daemon')
-rw-r--r-- | usr.sbin/daemon/daemon.8 | 15 | ||||
-rw-r--r-- | usr.sbin/daemon/daemon.c | 54 |
2 files changed, 24 insertions, 45 deletions
diff --git a/usr.sbin/daemon/daemon.8 b/usr.sbin/daemon/daemon.8 index e94834f..c284427 100644 --- a/usr.sbin/daemon/daemon.8 +++ b/usr.sbin/daemon/daemon.8 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 9, 2007 +.Dd March 19, 2007 .Dt DAEMON 8 .Os .Sh NAME @@ -35,16 +35,15 @@ .Sh SYNOPSIS .Nm .Op Fl cf -.Op Fl u Ar user -.Op Fl g Ar group .Op Fl p Ar pidfile +.Op Fl u Ar user .Ar command arguments ... .Sh DESCRIPTION The .Nm utility detaches itself from the controlling terminal and executes the program specified by its arguments. -Privileges may be lowered to specified user and/or group. +Privileges may be lowered to the specified user. .Pp The options are as follows: .Bl -tag -width indent @@ -54,19 +53,17 @@ Change the current working directory to the root .It Fl f Redirect standard input, standard output and standard error to .Pa /dev/null . -.It Fl g Ar group -Drop privileges to specified group. .It Fl p Ar file Write the ID of the created process into the .Ar file -using -.It Fl u Ar user -Drop privileges to specified user. +using the .Xr pidfile 3 functionality. Note, that the file will be created shortly before the process is actually executed, and will remain after the process exits (although it will be removed if the execution fails). +.It Fl u Ar user +Run the program with the rights of user specified, requires privilege. .El .Sh EXIT STATUS The diff --git a/usr.sbin/daemon/daemon.c b/usr.sbin/daemon/daemon.c index 43c6f8c..4fca144 100644 --- a/usr.sbin/daemon/daemon.c +++ b/usr.sbin/daemon/daemon.c @@ -36,13 +36,13 @@ __FBSDID("$FreeBSD$"); #include <err.h> #include <errno.h> #include <pwd.h> -#include <grp.h> #include <libutil.h> +#include <login_cap.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> -static void restrict_process(const char *, const char *); +static void restrict_process(const char *); static void usage(void); int @@ -50,12 +50,12 @@ main(int argc, char *argv[]) { struct pidfh *pfh = NULL; int ch, nochdir, noclose, errcode; - const char *pidfile, *user, *group; + const char *pidfile, *user; pid_t otherpid; nochdir = noclose = 1; - pidfile = user = group = NULL; - while ((ch = getopt(argc, argv, "-cfg:p:u:")) != -1) { + pidfile = user = NULL; + while ((ch = getopt(argc, argv, "-cf:p:u:")) != -1) { switch (ch) { case 'c': nochdir = 0; @@ -63,15 +63,12 @@ main(int argc, char *argv[]) case 'f': noclose = 0; break; - case 'u': - user = optarg; - break; - case 'g': - group = optarg; - break; case 'p': pidfile = optarg; break; + case 'u': + user = optarg; + break; default: usage(); } @@ -82,12 +79,8 @@ main(int argc, char *argv[]) if (argc == 0) usage(); - if (user || group) { - if (getuid() != 0) - errx(1, "only root user is allowed to chroot " - "and change UID/GID"); - restrict_process(user, group); - } + if (user != NULL) + restrict_process(user); /* * Try to open the pidfile before calling daemon(3), @@ -126,34 +119,23 @@ main(int argc, char *argv[]) } static void -restrict_process(const char *user, const char *group) +restrict_process(const char *user) { - struct group *gr = NULL; struct passwd *pw = NULL; - errno = 0; - - if (group != NULL) { - if (initgroups(user, gr->gr_gid) == -1) - errx(1, "User not in group list"); - if ((gr = getgrnam(group)) == NULL) - errx(1, "Group %s does not exist", group); - if (setgid(gr->gr_gid) == -1) - err(1, "%s", group); - } - if (user != NULL) { - if ((pw = getpwnam(user)) == NULL) - errx(1, "User %s does not exist", user); - if (setuid(pw->pw_uid) == -1) - err(1, "%s", user); - } + pw = getpwnam(user); + if (pw == NULL) + errx(1, "unknown user: %s", user); + + if (setusercontext(NULL, pw, pw->pw_uid, LOGIN_SETALL) != 0) + errx(1, "failed to set user environment"); } static void usage(void) { (void)fprintf(stderr, - "usage: daemon [-cf] [-g group] [-p pidfile] [-u user] command " + "usage: daemon [-cf] [-p pidfile] [-u user] command " "arguments ...\n"); exit(1); } |