diff options
author | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2011-03-21 21:31:50 +0000 |
---|---|---|
committer | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2011-03-21 21:31:50 +0000 |
commit | 4d8dc3b838f066d838cf449cd3b8073a8620e484 (patch) | |
tree | 423b8a1794223b5607ff01f014ec10c088e66a0b | |
parent | f394ce6e5bf976f4449596ad943b045a86cd3690 (diff) | |
download | src-4d8dc3b838f066d838cf449cd3b8073a8620e484.tar.gz src-4d8dc3b838f066d838cf449cd3b8073a8620e484.zip |
When dropping privileges prefer capsicum over chroot+setgid+setuid.
We can use capsicum for secondary worker processes and hastctl.
When working as primary we drop privileges using chroot+setgid+setuid
still as we need to send ioctl(2)s to ggate device, for which capsicum
doesn't allow (yet).
X-MFC after: capsicum is merged to stable/8
Notes
Notes:
svn path=/head/; revision=219847
-rw-r--r-- | sbin/hastctl/hastctl.c | 3 | ||||
-rw-r--r-- | sbin/hastd/primary.c | 2 | ||||
-rw-r--r-- | sbin/hastd/secondary.c | 2 | ||||
-rw-r--r-- | sbin/hastd/subr.c | 16 | ||||
-rw-r--r-- | sbin/hastd/subr.h | 2 |
5 files changed, 19 insertions, 6 deletions
diff --git a/sbin/hastctl/hastctl.c b/sbin/hastctl/hastctl.c index 67ee76153252..21b121721fc8 100644 --- a/sbin/hastctl/hastctl.c +++ b/sbin/hastctl/hastctl.c @@ -480,9 +480,8 @@ main(int argc, char *argv[]) cfg->hc_controladdr); } - if (drop_privs() != 0) + if (drop_privs(true) != 0) exit(EX_CONFIG); - pjdlog_debug(1, "Privileges successfully dropped."); /* Send the command to the server... */ if (hast_proto_send(NULL, controlconn, nv, NULL, 0) < 0) { diff --git a/sbin/hastd/primary.c b/sbin/hastd/primary.c index 6b219f866610..73f8f6536c38 100644 --- a/sbin/hastd/primary.c +++ b/sbin/hastd/primary.c @@ -874,7 +874,7 @@ hastd_primary(struct hast_resource *res) init_ggate(res); init_environment(res); - if (drop_privs() != 0) { + if (drop_privs(true) != 0) { cleanup(res); exit(EX_CONFIG); } diff --git a/sbin/hastd/secondary.c b/sbin/hastd/secondary.c index bfd999249e88..cdcab0af9a52 100644 --- a/sbin/hastd/secondary.c +++ b/sbin/hastd/secondary.c @@ -440,7 +440,7 @@ hastd_secondary(struct hast_resource *res, struct nv *nvin) init_local(res); init_environment(); - if (drop_privs() != 0) + if (drop_privs(true) != 0) exit(EX_CONFIG); pjdlog_info("Privileges successfully dropped."); diff --git a/sbin/hastd/subr.c b/sbin/hastd/subr.c index 213dcd27b869..aa6e5d9a8b08 100644 --- a/sbin/hastd/subr.c +++ b/sbin/hastd/subr.c @@ -30,6 +30,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include <sys/capability.h> #include <sys/types.h> #include <sys/disk.h> #include <sys/ioctl.h> @@ -39,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include <fcntl.h> #include <pwd.h> #include <stdarg.h> +#include <stdbool.h> #include <stdio.h> #include <string.h> #include <unistd.h> @@ -144,13 +146,22 @@ role2str(int role) } int -drop_privs(void) +drop_privs(bool usecapsicum) { struct passwd *pw; uid_t ruid, euid, suid; gid_t rgid, egid, sgid; gid_t gidset[1]; + if (usecapsicum) { + if (cap_enter() == 0) { + pjdlog_debug(1, + "Privileges successfully dropped using capsicum."); + return (0); + } + pjdlog_errno(LOG_WARNING, "Unable to sandbox using capsicum"); + } + /* * According to getpwnam(3) we have to clear errno before calling the * function to be able to distinguish between an error and missing @@ -208,5 +219,8 @@ drop_privs(void) PJDLOG_VERIFY(getgroups(1, gidset) == 1); PJDLOG_VERIFY(gidset[0] == pw->pw_gid); + pjdlog_debug(1, + "Privileges successfully dropped using chroot+setgid+setuid."); + return (0); } diff --git a/sbin/hastd/subr.h b/sbin/hastd/subr.h index 0b9b55557af1..179fd0016a48 100644 --- a/sbin/hastd/subr.h +++ b/sbin/hastd/subr.h @@ -50,6 +50,6 @@ int snprlcat(char *str, size_t size, const char *fmt, ...); int provinfo(struct hast_resource *res, bool dowrite); const char *role2str(int role); -int drop_privs(void); +int drop_privs(bool usecapsicum); #endif /* !_SUBR_H_ */ |