Re: Mathopd ...
Amit Chakradeo
Sat, 02 Aug 2003 11:48:38 -0700
Hi,
Here is a patch against mathopd 1.4 gamma version, which will make
it work with chroot and drop privileges. The only file that
changes is main.c and I am attaching the following patch for that
file.
Please take a look and let me know if you find any problems..
-Amit
--- Begin Message ---Hey Folks, Sorry for replying to my own message, but hurray! I got it working correctly with chroot AND setuid stuff on openbsd. I am enclosing the patch here for review and testing. This applies to main.c from version 1.4-gamma (whatever that means) If you are running mathopd, please try to use the options User www and StayRoot Off --Amit On Thu, Jul 31, 2003 at 08:40:45AM -0700, Amit Chakradeo wrote: > On Thu, 31 Jul 2003 02:03:59 -0700 > Michael Ray <[EMAIL PROTECTED]> wrote: > > > > > http://www.mail-archive.com/mathopd%40mathopd.org/msg00075.html > > > > The author here is suggesting to copy over the files to the chroot. I was thinking > more in terms of opening all the files necessary before calling chroot. (Like > openbsd's apache does). The tradeoffs of doing chrott early v/s late are copying > files and devices to chroot directory v/s living dangerously for a longer time with > root privileges. > > Anyways, I am using publicfile and liking it so far. Now if only it had PHP and SSL > :) > > --Amit >*** /tmp/mathopd-1.4/src/main.c Sat May 11 16:20:21 2002 --- main.c Thu Jul 31 16:30:57 2003 *************** *** 154,160 **** struct server *s; char buf[10]; struct rlimit rl; ! struct passwd *pwd; const char *message; const char *config_filename; --- 154,160 ---- struct server *s; char buf[10]; struct rlimit rl; ! struct passwd *pwd= NULL; const char *message; const char *config_filename; *************** *** 207,219 **** startup_server(s); s = s->next; } ! if (rootdir) { ! if (chroot(rootdir) == -1) ! die("chroot", 0); ! if (chdir("/") == -1) ! die("chdir", 0); ! } ! setuid(geteuid()); if (geteuid() == 0) { if (user_name == 0) die(0, "No user specified."); --- 207,220 ---- startup_server(s); s = s->next; } ! if (pid_filename) { ! pid_fd = open(pid_filename, O_WRONLY | O_CREAT, 0666); ! if (pid_fd == -1) ! die("open", "Cannot open PID file"); ! } else ! pid_fd = -1; ! if (init_logs() == -1) ! die("open", "Cannot open log files"); if (geteuid() == 0) { if (user_name == 0) die(0, "No user specified."); *************** *** 222,227 **** --- 223,237 ---- die(0, "%s: Unknown user.", user_name); if (pwd->pw_uid == 0) die(0, "%s: Invalid user.", user_name); + } + if (rootdir) { + if (chroot(rootdir) == -1) + die("chroot", 0); + if (chdir("/") == -1) + die("chdir", 0); + } + setuid(geteuid()); + if (geteuid() == 0) { if (initgroups(user_name, pwd->pw_gid) == -1) die("initgroups", 0); if (setgid(pwd->pw_gid) == -1) *************** *** 246,260 **** } setrlimit(RLIMIT_CORE, &rl); umask(fcm); ! if (pid_filename) { ! pid_fd = open(pid_filename, O_WRONLY | O_CREAT, 0666); ! if (pid_fd == -1) ! die("open", "Cannot open PID file"); ! } else ! pid_fd = -1; ! if (init_logs() == -1) ! die("open", "Cannot open log files"); ! if (am_daemon) { dup2(null_fd, 0); dup2(null_fd, 1); dup2(null_fd, 2); --- 256,262 ---- } setrlimit(RLIMIT_CORE, &rl); umask(fcm); ! if (am_daemon) { dup2(null_fd, 0); dup2(null_fd, 1); dup2(null_fd, 2);
pgp00000.pgp
Description: PGP signature
--- End Message ---
- Re: Mathopd ... Amit Chakradeo