All,
Here's an updated version of the radvd.init patch. There's a slight adjustment
here from the original version.
Index: radvd.init
===================================================================
--- radvd.init (revision 28379)
+++ radvd.init (working copy)
@@ -407,6 +407,30 @@
return 0
}
+radvd_start_secure() {
+ local cfg=$1
+ local secure
+
+ validate_varname "$cfg" || return 0
+
+ config_get_bool secure "$cfg" secure_mode 0
+ [ "$secure" -ne 1 ] && return 0
+
+ config_get RADVD_USERNAME "$cfg" username
+ if [ -z "$RADVD_USERNAME" ]; then
+ logger -t "radvd startup" "username required for secure mode,
radvd will run as root"
+ return 1
+ fi
+
+ config_get RADVD_GROUP "$cfg" group
+ if [ -z "$RADVD_GROUP" ] ; then
+ logger -t "radvd startup" "group required for secure mode,
radvd will run as root"
+ return 1
+ fi
+
+ return 0
+}
+
start() {
config_load radvd
@@ -425,7 +449,18 @@
sysctl -w net.ipv6.conf.all.forwarding=1 > /dev/null 2> /dev/null
- radvd -C "$RADVD_CONFIG_FILE" -m stderr_syslog -p /var/run/radvd.pid
+ RADVD_USERNAME=
+ RADVD_GROUP=
+ config_foreach radvd_start_secure radvd
+
+ if [ ! -z "$RADVD_USERNAME" ] && [ ! -z "$RADVD_GROUP" ]; then
+ mkdir -p /var/run/radvd
+ chown $RADVD_USERNAME:$RADVD_GROUP /var/run/radvd
+ radvd -u $RADVD_USERNAME -C "$RADVD_CONFIG_FILE" -m
stderr_syslog -p /var/run/radvd/radvd.pid
+ else
+ mkdir -p /var/run/radvd
+ radvd -C "$RADVD_CONFIG_FILE" -m stderr_syslog -p
/var/run/radvd/radvd.pid
+ fi
}
stop() {
Any thoughts and input are appreciated. I've spent several days testing this
and it seems to work well. It will spawn two processes, as previously mentioned:
root@alix:~# ps | grep radvd
2208 root 564 S radvd -u nobody -C /var/etc/radvd.conf -m stderr_sysl
2211 nobody 564 S radvd -u nobody -C /var/etc/radvd.conf -m stderr_sysl
Thanks,
Adam
On Oct 8, 2011, at 2:45 PM, Adam Gensler wrote:
> Hmm, it seems the process is dying when the hotplug script is activated. The
> HUP signal is terminating it when running with "-u". Back the drawing board
> here. Sorry for the premature email.
>
> On Oct 8, 2011, at 2:17 PM, Adam Gensler wrote:
>
>> All,
>>
>> This is my first try at a patch and also my first attempt at parsing
>> /etc/config files in OpenWRT. If I've goofed something up please let me
>> know. The purpose of this change is to allow users to config radvd to run in
>> unprivileged mode. Per the radvd man page:
>>
>> radvd(8) - Linux man page
>> http://linux.die.net/man/8/radvd
>>
>> -u username, --username username
>> If specified, drops root privileges and changes user ID to username and
>> group ID to the primary group of username. This is recommended for security
>> reasons. You might also need to use -p to point to a file in a username
>> -writable directory (e.g. /var/run/radvd/radvd.pid).
>>
>> This patch can parse three new fields in /etc/config/radvd, under "config
>> radvd", specifically:
>> option secure_mode 1
>> option username 'nobody'
>> option group 'nogroup'
>>
>> I think the above is fairly self explanatory. When run with the "-u" option,
>> radvd spawns two processes, one with root privileges for interface
>> configuration purposes and another, unprivileged process, for everything
>> else.
>>
>> With none of these options configured radvd will operate as it always has.
>>
>> Any suggestions and / or input would be appreciated. As I said, this is my
>> first crack at working with OpenWRT so there's a possibility I did something
>> incorrect.
>>
>> Thanks in advance,
>> Adam
>> <radvd.init.patch>_______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel@lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
