mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-27 12:38:24 +00:00
299. [cleanup] Get the user and group information before changing the
root directory, so the administrator does not need to keep a copy of the user and group databases in the chroot'ed environment. Suggested by Hakan Olsson.
This commit is contained in:
David Lawrence
parent
6dd953f666
commit
202991557a
9
CHANGES
9
CHANGES
@ -1,3 +1,8 @@
|
|||||||
|
299. [cleanup] Get the user and group information before changing the
|
||||||
|
root directory, so the administrator does not need to
|
||||||
|
keep a copy of the user and group databases in the
|
||||||
|
chroot'ed environment. Suggested by Hakan Olsson.
|
||||||
|
|
||||||
298. [bug] A mutex deadlock occurred during shutdown of the
|
298. [bug] A mutex deadlock occurred during shutdown of the
|
||||||
interface manager under certain conditions.
|
interface manager under certain conditions.
|
||||||
Digital Unix systems were the most affected.
|
Digital Unix systems were the most affected.
|
||||||
@ -23,7 +28,7 @@
|
|||||||
reverts to "name_current" instead of staying as
|
reverts to "name_current" instead of staying as
|
||||||
"name_glue".
|
"name_glue".
|
||||||
|
|
||||||
293. [port] Add support for freebsd 4.0 system tests.
|
293. [port] Add support for FreeBSD 4.0 system tests.
|
||||||
|
|
||||||
292. [bug] Due to problems with the way some operating systems
|
292. [bug] Due to problems with the way some operating systems
|
||||||
handle simultaneous listening on IPv4 and IPv6
|
handle simultaneous listening on IPv4 and IPv6
|
||||||
@ -66,7 +71,7 @@
|
|||||||
283. [cleanup] The 'lwresd' program is now a link to 'named'.
|
283. [cleanup] The 'lwresd' program is now a link to 'named'.
|
||||||
|
|
||||||
282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
|
282. [bug] The lexer now returns ISC_R_RANGE if parsed integer is
|
||||||
too big for an usigned long.
|
too big for an unsigned long.
|
||||||
|
|
||||||
281. [bug] Fixed list of recognized config file category names.
|
281. [bug] Fixed list of recognized config file category names.
|
||||||
|
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
* SOFTWARE.
|
* SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: main.c,v 1.71 2000/06/22 21:49:31 tale Exp $ */
|
/* $Id: main.c,v 1.72 2000/07/01 00:48:02 tale Exp $ */
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
@ -405,6 +405,13 @@ static void
|
|||||||
setup(void) {
|
setup(void) {
|
||||||
isc_result_t result;
|
isc_result_t result;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the user and group information before changing the root
|
||||||
|
* directory, so the administrator does not need to keep a copy
|
||||||
|
* of the user and group databases in the chroot'ed environment.
|
||||||
|
*/
|
||||||
|
ns_os_inituserinfo(ns_g_username);
|
||||||
|
|
||||||
ns_os_chroot(ns_g_chrootdir);
|
ns_os_chroot(ns_g_chrootdir);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -415,7 +422,7 @@ setup(void) {
|
|||||||
* time. (We need to read the config file to know which possibly
|
* time. (We need to read the config file to know which possibly
|
||||||
* privileged ports to bind() to.)
|
* privileged ports to bind() to.)
|
||||||
*/
|
*/
|
||||||
ns_os_minprivs(ns_g_username);
|
ns_os_minprivs();
|
||||||
|
|
||||||
result = ns_log_init(ISC_TF(ns_g_username != NULL));
|
result = ns_log_init(ISC_TF(ns_g_username != NULL));
|
||||||
if (result != ISC_R_SUCCESS)
|
if (result != ISC_R_SUCCESS)
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
* SOFTWARE.
|
* SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: server.c,v 1.200 2000/06/23 01:08:29 gson Exp $ */
|
/* $Id: server.c,v 1.201 2000/07/01 00:48:03 tale Exp $ */
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
@ -1334,7 +1334,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
|||||||
* Relinquish root privileges.
|
* Relinquish root privileges.
|
||||||
*/
|
*/
|
||||||
if (first_time)
|
if (first_time)
|
||||||
ns_os_changeuser(ns_g_username);
|
ns_os_changeuser();
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Configure the logging system.
|
* Configure the logging system.
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
* SOFTWARE.
|
* SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: os.h,v 1.7 2000/06/22 21:49:58 tale Exp $ */
|
/* $Id: os.h,v 1.8 2000/07/01 00:48:06 tale Exp $ */
|
||||||
|
|
||||||
#ifndef NS_OS_H
|
#ifndef NS_OS_H
|
||||||
#define NS_OS_H 1
|
#define NS_OS_H 1
|
||||||
@ -32,10 +32,13 @@ void
|
|||||||
ns_os_chroot(const char *root);
|
ns_os_chroot(const char *root);
|
||||||
|
|
||||||
void
|
void
|
||||||
ns_os_changeuser(const char *username);
|
ns_os_inituserinfo(const char *username);
|
||||||
|
|
||||||
void
|
void
|
||||||
ns_os_minprivs(const char *username);
|
ns_os_changeuser(void);
|
||||||
|
|
||||||
|
void
|
||||||
|
ns_os_minprivs(void);
|
||||||
|
|
||||||
void
|
void
|
||||||
ns_os_writepidfile(const char *filename);
|
ns_os_writepidfile(const char *filename);
|
||||||
|
|||||||
@ -15,7 +15,7 @@
|
|||||||
* SOFTWARE.
|
* SOFTWARE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* $Id: os.c,v 1.19 2000/06/28 16:26:40 explorer Exp $ */
|
/* $Id: os.c,v 1.20 2000/07/01 00:48:05 tale Exp $ */
|
||||||
|
|
||||||
#include <config.h>
|
#include <config.h>
|
||||||
|
|
||||||
@ -43,6 +43,8 @@ static isc_boolean_t non_root_caps = ISC_FALSE;
|
|||||||
static isc_boolean_t non_root = ISC_FALSE;
|
static isc_boolean_t non_root = ISC_FALSE;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static uid_t runas_uid = 0;
|
||||||
|
|
||||||
#ifdef HAVE_LINUX_CAPABILITY_H
|
#ifdef HAVE_LINUX_CAPABILITY_H
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -260,7 +262,7 @@ ns_os_chroot(const char *root) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
ns_os_changeuser(const char *username) {
|
ns_os_inituserinfo(const char *username) {
|
||||||
struct passwd *pw;
|
struct passwd *pw;
|
||||||
|
|
||||||
if (username == NULL || getuid() != 0)
|
if (username == NULL || getuid() != 0)
|
||||||
@ -277,28 +279,35 @@ ns_os_changeuser(const char *username) {
|
|||||||
else
|
else
|
||||||
pw = getpwnam(username);
|
pw = getpwnam(username);
|
||||||
endpwent();
|
endpwent();
|
||||||
|
|
||||||
if (pw == NULL)
|
if (pw == NULL)
|
||||||
ns_main_earlyfatal("user '%s' unknown", username);
|
ns_main_earlyfatal("user '%s' unknown", username);
|
||||||
|
|
||||||
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
|
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
|
||||||
ns_main_earlyfatal("initgroups(): %s", strerror(errno));
|
ns_main_earlyfatal("initgroups(): %s", strerror(errno));
|
||||||
|
|
||||||
if (setgid(pw->pw_gid) < 0)
|
if (setgid(pw->pw_gid) < 0)
|
||||||
ns_main_earlyfatal("setgid(): %s", strerror(errno));
|
ns_main_earlyfatal("setgid(): %s", strerror(errno));
|
||||||
if (setuid(pw->pw_uid) < 0)
|
|
||||||
|
runas_uid = pw->pw_uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
ns_os_changeuser(void) {
|
||||||
|
if (runas_uid != 0 && setuid(runas_uid) < 0)
|
||||||
ns_main_earlyfatal("setuid(): %s", strerror(errno));
|
ns_main_earlyfatal("setuid(): %s", strerror(errno));
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
ns_os_minprivs(const char *username) {
|
ns_os_minprivs(void) {
|
||||||
#ifdef HAVE_LINUX_CAPABILITY_H
|
#ifdef HAVE_LINUX_CAPABILITY_H
|
||||||
#if defined(HAVE_LINUX_PRCTL_H) && defined(PR_SET_KEEPCAPS)
|
#if defined(HAVE_LINUX_PRCTL_H) && defined(PR_SET_KEEPCAPS)
|
||||||
linux_keepcaps();
|
linux_keepcaps();
|
||||||
ns_os_changeuser(username);
|
ns_os_changeuser();
|
||||||
#else
|
|
||||||
(void)username;
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
linux_minprivs();
|
linux_minprivs();
|
||||||
#else
|
|
||||||
(void)username;
|
|
||||||
#endif /* HAVE_LINUX_CAPABILITY_H */
|
#endif /* HAVE_LINUX_CAPABILITY_H */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user