Author: pjd
Date: Mon Mar 21 21:31:50 2011
New Revision: 219847
URL: http://svn.freebsd.org/changeset/base/219847
Log:
When dropping privileges prefer capsicum over chroot+setgid+setuid.
We can use capsicum for secondary worker processes and hastctl.
When working as primary we drop privileges using chroot+setgid+setuid
still as we need to send ioctl(2)s to ggate device, for which capsicum
doesn't allow (yet).
X-MFC after: capsicum is merged to stable/8
Modified:
head/sbin/hastctl/hastctl.c
head/sbin/hastd/primary.c
head/sbin/hastd/secondary.c
head/sbin/hastd/subr.c
head/sbin/hastd/subr.h
Modified: head/sbin/hastctl/hastctl.c
==============================================================================
--- head/sbin/hastctl/hastctl.c Mon Mar 21 21:16:40 2011 (r219846)
+++ head/sbin/hastctl/hastctl.c Mon Mar 21 21:31:50 2011 (r219847)
@@ -480,9 +480,8 @@ main(int argc, char *argv[])
cfg->hc_controladdr);
}
- if (drop_privs() != 0)
+ if (drop_privs(true) != 0)
exit(EX_CONFIG);
- pjdlog_debug(1, "Privileges successfully dropped.");
/* Send the command to the server... */
if (hast_proto_send(NULL, controlconn, nv, NULL, 0) < 0) {
Modified: head/sbin/hastd/primary.c
==============================================================================
--- head/sbin/hastd/primary.c Mon Mar 21 21:16:40 2011 (r219846)
+++ head/sbin/hastd/primary.c Mon Mar 21 21:31:50 2011 (r219847)
@@ -874,7 +874,7 @@ hastd_primary(struct hast_resource *res)
init_ggate(res);
init_environment(res);
- if (drop_privs() != 0) {
+ if (drop_privs(true) != 0) {
cleanup(res);
exit(EX_CONFIG);
}
Modified: head/sbin/hastd/secondary.c
==============================================================================
--- head/sbin/hastd/secondary.c Mon Mar 21 21:16:40 2011 (r219846)
+++ head/sbin/hastd/secondary.c Mon Mar 21 21:31:50 2011 (r219847)
@@ -440,7 +440,7 @@ hastd_secondary(struct hast_resource *re
init_local(res);
init_environment();
- if (drop_privs() != 0)
+ if (drop_privs(true) != 0)
exit(EX_CONFIG);
pjdlog_info("Privileges successfully dropped.");
Modified: head/sbin/hastd/subr.c
==============================================================================
--- head/sbin/hastd/subr.c Mon Mar 21 21:16:40 2011 (r219846)
+++ head/sbin/hastd/subr.c Mon Mar 21 21:31:50 2011 (r219847)
@@ -30,6 +30,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include <sys/capability.h>
#include <sys/types.h>
#include <sys/disk.h>
#include <sys/ioctl.h>
@@ -39,6 +40,7 @@ __FBSDID("$FreeBSD$");
#include <fcntl.h>
#include <pwd.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
@@ -144,13 +146,22 @@ role2str(int role)
}
int
-drop_privs(void)
+drop_privs(bool usecapsicum)
{
struct passwd *pw;
uid_t ruid, euid, suid;
gid_t rgid, egid, sgid;
gid_t gidset[1];
+ if (usecapsicum) {
+ if (cap_enter() == 0) {
+ pjdlog_debug(1,
+ "Privileges successfully dropped using capsicum.");
+ return (0);
+ }
+ pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum");
+ }
+
/*
* According to getpwnam(3) we have to clear errno before calling the
* function to be able to distinguish between an error and missing
@@ -208,5 +219,8 @@ drop_privs(void)
PJDLOG_VERIFY(getgroups(1, gidset) == 1);
PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
+ pjdlog_debug(1,
+ "Privileges successfully dropped using chroot+setgid+setuid.");
+
return (0);
}
Modified: head/sbin/hastd/subr.h
==============================================================================
--- head/sbin/hastd/subr.h Mon Mar 21 21:16:40 2011 (r219846)
+++ head/sbin/hastd/subr.h Mon Mar 21 21:31:50 2011 (r219847)
@@ -50,6 +50,6 @@ int snprlcat(char *str, size_t size, con
int provinfo(struct hast_resource *res, bool dowrite);
const char *role2str(int role);
-int drop_privs(void);
+int drop_privs(bool usecapsicum);
#endif /* !_SUBR_H_ */
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
