[OpenWrt-Devel] PATCH: secure_mode config options for radvd (updated)

[Adam Gensler]

The purpose of this change is to allow users to configure radvd to run 
in unprivileged mode. Per the radvd man page:

radvd(8) - Linux man page
http://linux.die.net/man/8/radvd
-u username, --username username

If specified, drops root privileges and changes user ID to username and 
group ID to the primary group of username. This is recommended for 
security reasons. You might also need to use -p to point to a file in a 
username -writable directory (e.g. /var/run/radvd/radvd.pid).

This patch can parse three new fields in /etc/config/radvd, under 
"config radvd", specifically:
option secure_mode      1
option username         'nobody'
option group            'nogroup'

I think the above is fairly self explanatory. When run with the "-u" 
option, radvd spawns two processes, one with root privileges for 
interface configuration purposes and another, unprivileged process, for 
everything else. With none of these options configured radvd will 
operate as it always has.

This patch has been updated to work with the new service wrapper in 
trunk and also removes the hotplug patch as its no longer being used by 
radvd as per a previous fix.

Signed-off-by: Adam Gensler <openwrt at kristenandadam.net>

---

Index: feeds/packages/ipv6/radvd/files/radvd.init
===================================================================
--- feeds/packages/ipv6/radvd/files/radvd.init  (revision 29672)
+++ feeds/packages/ipv6/radvd/files/radvd.init  (working copy)
@@ -411,6 +411,30 @@
        return 0
 }

+radvd_start_secure() {
+       local cfg=$1
+       local secure
+
+       validate_varname "$cfg" || return 0
+
+       config_get_bool secure "$cfg" secure_mode 0
+       [ "$secure" -ne 1 ] && return 0
+
+       config_get RADVD_USERNAME "$cfg" username
+       if [ -z "$RADVD_USERNAME" ]; then
+		logger -t "radvd startup" "username required for secure mode, radvd 
will run as root"
+               return 1
+       fi
+
+       config_get RADVD_GROUP "$cfg" group
+       if [ -z "$RADVD_GROUP" ] ; then
+		logger -t "radvd startup" "group required for secure mode, radvd 
will run as root"
+               return 1
+       fi
+
+       return 0
+}
+
 start() {
        config_load radvd

@@ -429,7 +453,18 @@

        sysctl -w net.ipv6.conf.all.forwarding=1 > /dev/null 2> /dev/null

-	service_start /usr/sbin/radvd -C "$RADVD_CONFIG_FILE" -m 
stderr_syslog -p /var/run/radvd.pid
+       RADVD_USERNAME=
+       RADVD_GROUP=
+       config_foreach radvd_start_secure radvd
+
+       if [ ! -z "$RADVD_USERNAME" ] && [ ! -z "$RADVD_GROUP" ]; then
+               mkdir -p /var/run/radvd
+               chown $RADVD_USERNAME:$RADVD_GROUP /var/run/radvd
+		service_start /usr/sbin/radvd -u $RADVD_USERNAME -C 
"$RADVD_CONFIG_FILE" -m stderr_syslog -p /var/run/radvd/radvd.pid
+       else
+               mkdir -p /var/run/radvd
+		service_start /usr/sbin/radvd -C "$RADVD_CONFIG_FILE" -m 
stderr_syslog -p /var/run/radvd/radvd.pid
+       fi
 }

 stop() {
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel