There is a big if clause to call setuid/setgid in the main function in jabberd.c. I've just been moving that around to see what happens. If I put it right before the while(1) loop at the end of the main function, then the process can bind priviledged ports, the pidfile is right, root owns the pidfile, and the extra jabberd thread (due to loading dnsrv) is still running as root. That's as close as I have come. The problem is that, as viewed from the main function, binding the ports and writing the pidfile all happen in one massive atomic step to process the config file. Perhaps the config file should be extended to have a tag for the username to run as. That way, you could arrange the order the steps are taken as the config file is processed.
Jonathan Augenstine wrote: > Justin, > > I have two questions. The first is that have the changes you made to > reorder the code been contributed back for inclusion with the > distribution? If not I would be interested in knowing what changes you > made, as I have great need to implement this. The second question is, > can you change ownership or permisions on the pid file prior to the fork > to make it writable to the designated user and rewrite the pid after the > fork()?? > > Jonathan > > >>-----Original Message----- >>From: Justin Georgeson [mailto:[EMAIL PROTECTED]] >>Sent: Wednesday, June 05, 2002 6:45 PM >>To: [EMAIL PROTECTED] >>Cc: jdev >>Subject: [JDEV] Re: [jadmin] [jadmin]Port access below 1024 >> >> >>It's not so much the ownership, it's that the pid in the pidfile is >>wrong. I couldn't get the pidfile to be written after the >>fork. Even on >>systems that have a tool to kill all processes with a given name >>(killall jabberd on RedHat for example), that's not always viable, as >>you might have multiple instances and only want to stop one. >> >>Jonathan Augenstine wrote: >> >>>>only answer I was given was to have my firewall forward the >>>>priviledged >>>>port to the unpriviledged port jabber is running on. >>> >>>If I had that option available we would not be having this >> >>exchange. >> >>>Unfortunately. >>> >>>Can you clarify what the ramifications are of the problem >> >>you describe >> >>>below. I understand that the pid file is created by root and as a >>>consequence the specified user account is unable to access the pid >>>file. How does this impact? >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: Justin Georgeson [mailto:[EMAIL PROTECTED]] >>>>Sent: Wednesday, June 05, 2002 11:55 AM >>>>To: [EMAIL PROTECTED] >>>>Subject: Re: [jadmin] [jadmin] >>>> >>>> >>>>Using the -B command line options you can specify what user >>>>to run as. I >>>>have successfully reordered the code to bind to the port >>>>before calling >>>>setuid/setgid and forking. The problem is I have been unsuccessful >>>>getting all this done before writing the pidfile, so I end up witha >>>>pidfile with the wrong pid and the process owner can't read. >>>>I've posted >>>>to several lists (this one, jdev, and >>>>[EMAIL PROTECTED]) and the >>>>only answer I was given was to have my firewall forward the >>>>priviledged >>>>port to the unpriviledged port jabber is running on. >>>> >>>>Jonathan Augenstine wrote: >>>> >>>> >>>>>I have a question on running Jabber on non-standard ports. Does >>>>>anyone have documentation or notes on how to run Jabber on >>>> >>>>ports below >>>> >>>> >>>>>1024 but not run Jabber as root? >>>>> >>>>>Jonathan Augenstine _______________________________________________ >>>>>jadmin mailing list >>>>>[EMAIL PROTECTED] >>>>>http://mailman.jabber.org/listinfo/jadmin >>>> >>>> >>>>-- >>>>Justin Georgeson >>>>UnBound Technologies, Inc. >>>>http://www.unboundtech.com >>>>Main 713.329.9330 >>>>Fax 713.460.4051 >>>>Mobile 512.789.1962 >>>> >>>>5295 Hollister Road >>>>Houston, TX 77040 >>>>Real Applications using Real Wireless Intelligence(tm) >>>> >>>>_______________________________________________ >>>>jadmin mailing list >>>>[EMAIL PROTECTED] >>>>http://mailman.jabber.org/listinfo/jadmin >>>> >>> >>>_______________________________________________ >>>jadmin mailing list >>>[EMAIL PROTECTED] >>>http://mailman.jabber.org/listinfo/jadmin >> >> >>-- >>Justin Georgeson >>UnBound Technologies, Inc. >>http://www.unboundtech.com >>Main 713.329.9330 >>Fax 713.460.4051 >>Mobile 512.789.1962 >> >>5295 Hollister Road >>Houston, TX 77040 >>Real Applications using Real Wireless Intelligence(tm) >> >>_______________________________________________ >>jdev mailing list >>[EMAIL PROTECTED] >>http://mailman.jabber.org/listinfo/jdev >> > > _______________________________________________ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev -- Justin Georgeson UnBound Technologies, Inc. http://www.unboundtech.com Main 713.329.9330 Fax 713.460.4051 Mobile 512.789.1962 5295 Hollister Road Houston, TX 77040 Real Applications using Real Wireless Intelligence(tm) _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
