Hi,
Here is a patch against mathopd 1.4 gamma version, which will make
it work with chroot and drop privileges. The only file that
changes is main.c and I am attaching the following patch for that
file.
Please take a look and let me know if you find any problems..
-Amit
--- Begin Message ---
Hey Folks,
Sorry for replying to my own message, but hurray! I got it working
correctly with chroot AND setuid stuff on openbsd. I am enclosing the
patch here for review and testing. This applies to main.c from version
1.4-gamma (whatever that means)
If you are running mathopd, please try to use the options
User www
and
StayRoot Off
--Amit
On Thu, Jul 31, 2003 at 08:40:45AM -0700, Amit Chakradeo wrote:
> On Thu, 31 Jul 2003 02:03:59 -0700
> Michael Ray <[EMAIL PROTECTED]> wrote:
>
> >
> > http://www.mail-archive.com/mathopd%40mathopd.org/msg00075.html
> >
>
> The author here is suggesting to copy over the files to the chroot. I was thinking
> more in terms of opening all the files necessary before calling chroot. (Like
> openbsd's apache does). The tradeoffs of doing chrott early v/s late are copying
> files and devices to chroot directory v/s living dangerously for a longer time with
> root privileges.
>
> Anyways, I am using publicfile and liking it so far. Now if only it had PHP and SSL
> :)
>
> --Amit
>
*** /tmp/mathopd-1.4/src/main.c Sat May 11 16:20:21 2002
--- main.c Thu Jul 31 16:30:57 2003
***************
*** 154,160 ****
struct server *s;
char buf[10];
struct rlimit rl;
! struct passwd *pwd;
const char *message;
const char *config_filename;
--- 154,160 ----
struct server *s;
char buf[10];
struct rlimit rl;
! struct passwd *pwd= NULL;
const char *message;
const char *config_filename;
***************
*** 207,219 ****
startup_server(s);
s = s->next;
}
! if (rootdir) {
! if (chroot(rootdir) == -1)
! die("chroot", 0);
! if (chdir("/") == -1)
! die("chdir", 0);
! }
! setuid(geteuid());
if (geteuid() == 0) {
if (user_name == 0)
die(0, "No user specified.");
--- 207,220 ----
startup_server(s);
s = s->next;
}
! if (pid_filename) {
! pid_fd = open(pid_filename, O_WRONLY | O_CREAT, 0666);
! if (pid_fd == -1)
! die("open", "Cannot open PID file");
! } else
! pid_fd = -1;
! if (init_logs() == -1)
! die("open", "Cannot open log files");
if (geteuid() == 0) {
if (user_name == 0)
die(0, "No user specified.");
***************
*** 222,227 ****
--- 223,237 ----
die(0, "%s: Unknown user.", user_name);
if (pwd->pw_uid == 0)
die(0, "%s: Invalid user.", user_name);
+ }
+ if (rootdir) {
+ if (chroot(rootdir) == -1)
+ die("chroot", 0);
+ if (chdir("/") == -1)
+ die("chdir", 0);
+ }
+ setuid(geteuid());
+ if (geteuid() == 0) {
if (initgroups(user_name, pwd->pw_gid) == -1)
die("initgroups", 0);
if (setgid(pwd->pw_gid) == -1)
***************
*** 246,260 ****
}
setrlimit(RLIMIT_CORE, &rl);
umask(fcm);
! if (pid_filename) {
! pid_fd = open(pid_filename, O_WRONLY | O_CREAT, 0666);
! if (pid_fd == -1)
! die("open", "Cannot open PID file");
! } else
! pid_fd = -1;
! if (init_logs() == -1)
! die("open", "Cannot open log files");
! if (am_daemon) {
dup2(null_fd, 0);
dup2(null_fd, 1);
dup2(null_fd, 2);
--- 256,262 ----
}
setrlimit(RLIMIT_CORE, &rl);
umask(fcm);
! if (am_daemon) {
dup2(null_fd, 0);
dup2(null_fd, 1);
dup2(null_fd, 2);
pgp00000.pgp
Description: PGP signature
--- End Message ---
