jail(2) support to OpenLDAP

Sun, 15 Jan 2006 16:27:48 -0800 

I wrote a patch that add the BSD jail(2) support to slapd(8), you can
find it at this address:

http://www.paolomeschi.com/patches/openldap/openldap-jail.patch

Any comments would be appreciated,

Paolo.

(A copy of this mail has been sent to the OpenLDAP ITS as software enhancement)

I attach down here a copy of the patch:
----------------------------------------------------------------------------------------------------------------

        Copyright 2006 Paolo Meschi <[EMAIL PROTECTED]>

        Redistribution and use in source and binary forms, with or
        without modification, are permitted only as authorized by
        the OpenLDAP Public License.

diff -rNu openldap/configure openldap-jail-patch/configure
--- openldap/configure  2006-01-10 04:07:51.000000000 +0100
+++ openldap-jail-patch/configure       2006-01-15 19:16:12.000000000 +0100
@@ -43391,6 +43391,7 @@
        gettimeofday    \
        initgroups              \
        inet_ntoa_b             \
+       jail                    \
        lockf                   \
        memcpy                  \
        memmove                 \
diff -rNu openldap/configure.in openldap-jail-patch/configure.in
--- openldap/configure.in       2006-01-10 04:07:58.000000000 +0100
+++ openldap-jail-patch/configure.in    2006-01-15 19:15:19.000000000 +0100
@@ -2572,6 +2572,7 @@
        gettimeofday    \
        initgroups              \
        inet_ntoa_b             \
+       jail                    \
        lockf                   \
        memcpy                  \
        memmove                 \
diff -rNu openldap/include/portable.hin openldap-jail-patch/include/portable.hin
--- openldap/include/portable.hin       2006-01-10 04:07:58.000000000 +0100
+++ openldap-jail-patch/include/portable.hin    2006-01-15 19:40:28.000000000 
+0100
@@ -298,6 +298,9 @@
 /* Define to 1 if you have the <io.h> header file. */
 #undef HAVE_IO_H

+/* Define to 1 if you have the `jail' function. */
+#undef HAVE_JAIL
+
 /* define if you have Kerberos */
 #undef HAVE_KERBEROS

diff -rNu openldap/servers/slapd/main.c openldap-jail-patch/servers/slapd/main.c
--- openldap/servers/slapd/main.c       2006-01-03 23:12:14.000000000 +0100
+++ openldap-jail-patch/servers/slapd/main.c    2006-01-15 19:13:57.000000000 
+0100
@@ -39,6 +39,10 @@
 #include "lutil.h"
 #include "ldif.h"

+#ifdef HAVE_JAIL
+#include <sys/jail.h>
+#endif
+
 #ifdef LDAP_SLAPI
 #include "slapi/slapi.h"
 #endif
@@ -291,6 +295,11 @@
                "\t-g group\tGroup (id or name) to run as\n"
 #endif
                "\t-h URLs\t\tList of URLs to serve\n"
+#ifdef HAVE_JAIL
+               "\t-H hostname\tHostname to jail to\n"
+               "\t-i IP\t\tIP address to jail to\n"
+               "\t-j directory\tSandbox directory to jail to\n"
+#endif
 #ifdef LOG_LOCAL4
                "\t-l facility\tSyslog facility (default: LOCAL4)\n"
 #endif
@@ -334,6 +343,9 @@
 #if defined(HAVE_CHROOT)
        char *sandbox = NULL;
 #endif
+#ifdef HAVE_JAIL
+       struct jail j = { 0, NULL, NULL, 0 };
+#endif
 #ifdef LOG_LOCAL4
        int syslogUser = DEFAULT_SYSLOG_USER;
 #endif
@@ -429,6 +441,9 @@
 #ifdef HAVE_CHROOT
                                "r:"
 #endif
+#ifdef HAVE_JAIL
+                               "i:j:H:"
+#endif
 #ifdef LDAP_SYSLOG
                                "S:"
 #endif
@@ -569,6 +584,25 @@
                        break;
 #endif

+#ifdef HAVE_JAIL
+               case 'j':
+                       if( j.path ) free( j.path );
+                       j.path = ch_strdup( optarg );
+                       break;
+               case 'i':
+                       if( ( j.ip_number = ntohl( inet_addr( optarg ) ) )  ==  
INADDR_NONE ) {
+                               fprintf( stderr, "invalid ip\n" );
+                               usage( argv[0] );
+                               rc = 1;
+                               goto stop;
+                       }
+                       break;
+               case 'H':
+                       if( j.hostname ) free( j.hostname );
+                       j.hostname = ch_strdup( optarg );
+                       break;
+#endif
+
 #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
                case 'u':       /* user name */
                        if( username ) free(username);
@@ -665,6 +699,46 @@
                goto stop;
        }

+#if defined(HAVE_JAIL)
+       if ( j.hostname && j.path && ( j.ip_number != 0 ) ) {
+#if defined(HAVE_CHROOT)
+               if( sandbox ) {
+                       fprintf( stderr, "can't both chroot and jail\n" );
+                       rc = 1;
+                       goto stop;
+               }
+#endif /* HAVE_CHROOT */
+               if( chdir( j.path ) ) {
+                       perror("chdir");
+                       rc = 1;
+                       goto stop;
+               }
+               j.version = 0;
+               if( jail( &j ) == -1 ) {
+                       fprintf( stderr, "jail failed\n" );
+                       perror("jail");
+                       rc = 1;
+                       goto stop;
+               }
+               if( chroot( "/" ) ) {
+                       fprintf( stderr, "can't chroot to \"/\" after jail\n" );
+                       perror("chroot");
+                       rc = 1;
+                       goto stop;
+               }
+       } else if( j.hostname || j.path || ( j.ip_number != 0 ) ) {
+               if( !j.hostname )
+                       fprintf( stderr, "missing jail hostname\n" );
+               if( !j.path )
+                       fprintf( stderr, "missing jail path\n" );
+               if( j.ip_number == 0 )
+                       fprintf( stderr, "missing jail ip number\n" );
+               usage( argv[0] );
+               rc = 1;
+               goto stop;
+       }
+#endif
+
 #if defined(HAVE_CHROOT)
        if ( sandbox ) {
                if ( chdir( sandbox ) ) {

Reply via email to