The following reply was made to PR bin/146266; it has been noted by GNATS. From: dfil...@freebsd.org (dfilter service) To: bug-follo...@freebsd.org Cc: Subject: Re: bin/146266: commit references a PR Date: Mon, 3 May 2010 19:48:40 +0000 (UTC)
Author: delphij Date: Mon May 3 19:48:21 2010 New Revision: 207582 URL: http://svn.freebsd.org/changeset/base/207582 Log: MFC r147906-201389, this sync'ed daemon(8) with -HEAD except the WARNS change. The most important change is the newly added privilege dropping feature by trhodes and others. Requested by: glarkin PR: bin/146266 Modified: stable/6/usr.sbin/daemon/daemon.8 stable/6/usr.sbin/daemon/daemon.c Directory Properties: stable/6/usr.sbin/daemon/ (props changed) Modified: stable/6/usr.sbin/daemon/daemon.8 ============================================================================== --- stable/6/usr.sbin/daemon/daemon.8 Mon May 3 19:38:59 2010 (r207581) +++ stable/6/usr.sbin/daemon/daemon.8 Mon May 3 19:48:21 2010 (r207582) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 30, 2001 +.Dd March 19, 2007 .Dt DAEMON 8 .Os .Sh NAME @@ -36,12 +36,14 @@ .Nm .Op Fl cf .Op Fl p Ar pidfile +.Op Fl u Ar user .Ar command arguments ... .Sh DESCRIPTION The .Nm utility detaches itself from the controlling terminal and executes the program specified by its arguments. +Privileges may be lowered to the specified user. .Pp The options are as follows: .Bl -tag -width indent @@ -54,12 +56,14 @@ Redirect standard input, standard output .It Fl p Ar file Write the ID of the created process into the .Ar file -using +using the .Xr pidfile 3 functionality. Note, that the file will be created shortly before the process is actually executed, and will remain after the process exits (although it will be removed if the execution fails). +.It Fl u Ar user +Run the program with the rights of user specified, requires privilege. .El .Sh EXIT STATUS The @@ -77,6 +81,8 @@ standard error unless the .Fl f flag is specified. .Sh SEE ALSO +.Xr setregid 2 , +.Xr setreuid 2 , .Xr daemon 3 , .Xr exec 3 , .Xr pidfile 3 , Modified: stable/6/usr.sbin/daemon/daemon.c ============================================================================== --- stable/6/usr.sbin/daemon/daemon.c Mon May 3 19:38:59 2010 (r207581) +++ stable/6/usr.sbin/daemon/daemon.c Mon May 3 19:48:21 2010 (r207582) @@ -35,24 +35,27 @@ __FBSDID("$FreeBSD$"); #include <err.h> #include <errno.h> +#include <pwd.h> #include <libutil.h> +#include <login_cap.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> +static void restrict_process(const char *); static void usage(void); int main(int argc, char *argv[]) { - struct pidfh *pfh; + struct pidfh *pfh = NULL; int ch, nochdir, noclose, errcode; - const char *pidfile; + const char *pidfile, *user; pid_t otherpid; nochdir = noclose = 1; - pidfile = NULL; - while ((ch = getopt(argc, argv, "-cfp:")) != -1) { + pidfile = user = NULL; + while ((ch = getopt(argc, argv, "-cfp:u:")) != -1) { switch (ch) { case 'c': nochdir = 0; @@ -63,6 +66,9 @@ main(int argc, char *argv[]) case 'p': pidfile = optarg; break; + case 'u': + user = optarg; + break; default: usage(); } @@ -72,6 +78,10 @@ main(int argc, char *argv[]) if (argc == 0) usage(); + + if (user != NULL) + restrict_process(user); + /* * Try to open the pidfile before calling daemon(3), * to be able to report the error intelligently @@ -109,9 +119,23 @@ main(int argc, char *argv[]) } static void +restrict_process(const char *user) +{ + struct passwd *pw = NULL; + + pw = getpwnam(user); + if (pw == NULL) + errx(1, "unknown user: %s", user); + + if (setusercontext(NULL, pw, pw->pw_uid, LOGIN_SETALL) != 0) + errx(1, "failed to set user environment"); +} + +static void usage(void) { (void)fprintf(stderr, - "usage: daemon [-cf] [-p pidfile] command arguments ...\n"); + "usage: daemon [-cf] [-p pidfile] [-u user] command " + "arguments ...\n"); exit(1); } _______________________________________________ svn-src-...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org" _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
