[people/teissler/ipfire-2.x.git] / src / patches / sysklogd-1.4.1-caen-owl-syslogd-drop-root.diff

diff -ur sysklogd-1.4.1-caen-owl-syslogd-bind/sysklogd.8 sysklogd-1.4.1/sysklogd.8
--- sysklogd-1.4.1-caen-owl-syslogd-bind/sysklogd.8	Mon Oct  8 07:26:27 2001
+++ sysklogd-1.4.1/sysklogd.8	Mon Oct  8 07:30:31 2001
@@ -32,6 +32,9 @@
 .RB [ " \-s "
 .I domainlist
 ]
+.RB [ " \-u"
+.IB username
+]
 .RB [ " \-v " ]
 .LP
 .SH DESCRIPTION
@@ -159,6 +162,19 @@
 is specified and the host logging resolves to satu.infodrom.north.de
 no domain would be cut, you will have to specify two domains like:
 .BR "\-s north.de:infodrom.north.de" .
+.TP
+.BI "\-u " "username"
+This causes the
+.B syslogd
+daemon to become the named user before starting up logging.
+
+Note that when this option is in use,
+.B syslogd
+will open all log files as root when the daemon is first started;
+however, after a
+.B SIGHUP
+the files will be reopened as the non-privileged user.  You should
+take this into account when deciding the ownership of the log files.
 .TP
 .B "\-v"
 Print version and exit.
diff -ur sysklogd-1.4.1-caen-owl-syslogd-bind/syslogd.c sysklogd-1.4.1/syslogd.c
--- sysklogd-1.4.1-caen-owl-syslogd-bind/syslogd.c	Mon Oct  8 07:26:27 2001
+++ sysklogd-1.4.1/syslogd.c	Mon Oct  8 07:40:35 2001
@@ -491,6 +491,10 @@
 #include <arpa/nameser.h>
 #include <arpa/inet.h>
 #include <resolv.h>
+
+#include <pwd.h>
+#include <grp.h>
+
 #ifndef TESTING
 #include "pidfile.h"
 #endif
@@ -737,6 +741,7 @@
 				   intermediate host. */
 
 char	*bind_addr = NULL;	/* bind UDP port to this interface only */
+char	*server_user = NULL;	/* user name to run server as */
 
 extern	int errno;
 
@@ -778,6 +783,21 @@
 static int create_inet_socket();
 #endif
 
+static int drop_root(void)
+{
+	struct passwd *pw;
+
+	if (!(pw = getpwnam(server_user))) return -1;
+
+	if (!pw->pw_uid) return -1;
+
+	if (initgroups(server_user, pw->pw_gid)) return -1;
+	if (setgid(pw->pw_gid)) return -1;
+	if (setuid(pw->pw_uid)) return -1;
+
+	return 0;
+}
+
 int main(argc, argv)
 	int argc;
 	char **argv;
@@ -831,7 +851,7 @@
 		funix[i]  = -1;
 	}
 
-	while ((ch = getopt(argc, argv, "a:dhf:i:l:m:np:rs:v")) != EOF)
+	while ((ch = getopt(argc, argv, "a:dhf:i:l:m:np:rs:u:v")) != EOF)
 		switch((char)ch) {
 		case 'a':
 			if (nfunix < MAXFUNIX)
@@ -884,6 +904,9 @@
 			}
 			StripDomains = crunch_list(optarg);
 			break;
+		case 'u':
+			server_user = optarg;
+			break;
 		case 'v':
 			printf("syslogd %s.%s\n", VERSION, PATCHLEVEL);
 			exit (0);
@@ -1031,6 +1054,11 @@
 		kill (ppid, SIGTERM);
 #endif
 
+	if (server_user && drop_root()) {
+		dprintf("syslogd: failed to drop root\n");
+		exit(1);
+	}
+
 	/* Main loop begins here. */
 	for (;;) {
 		int nfds;
@@ -1185,7 +1213,7 @@
 int usage()
 {
 	fprintf(stderr, "usage: syslogd [-drvh] [-l hostlist] [-m markinterval] [-n] [-p path]\n" \
-		" [-s domainlist] [-f conffile] [-i IP address]\n");
+		" [-s domainlist] [-f conffile] [-i IP address] [-u username]\n");
 	exit(1);
 }
Commit	Line	Data
cd1a2927 MT	1	diff -ur sysklogd-1.4.1-caen-owl-syslogd-bind/sysklogd.8 sysklogd-1.4.1/sysklogd.8
	2	--- sysklogd-1.4.1-caen-owl-syslogd-bind/sysklogd.8 Mon Oct 8 07:26:27 2001
	3	+++ sysklogd-1.4.1/sysklogd.8 Mon Oct 8 07:30:31 2001
	4	@@ -32,6 +32,9 @@
	5	.RB [ " \-s "
	6	.I domainlist
	7	]
	8	+.RB [ " \-u"
	9	+.IB username
	10	+]
	11	.RB [ " \-v " ]
	12	.LP
	13	.SH DESCRIPTION
	14	@@ -159,6 +162,19 @@
	15	is specified and the host logging resolves to satu.infodrom.north.de
	16	no domain would be cut, you will have to specify two domains like:
	17	.BR "\-s north.de:infodrom.north.de" .
	18	+.TP
	19	+.BI "\-u " "username"
	20	+This causes the
	21	+.B syslogd
	22	+daemon to become the named user before starting up logging.
	23	+
	24	+Note that when this option is in use,
	25	+.B syslogd
	26	+will open all log files as root when the daemon is first started;
	27	+however, after a
	28	+.B SIGHUP
	29	+the files will be reopened as the non-privileged user. You should
	30	+take this into account when deciding the ownership of the log files.
	31	.TP
	32	.B "\-v"
	33	Print version and exit.
	34	diff -ur sysklogd-1.4.1-caen-owl-syslogd-bind/syslogd.c sysklogd-1.4.1/syslogd.c
	35	--- sysklogd-1.4.1-caen-owl-syslogd-bind/syslogd.c Mon Oct 8 07:26:27 2001
	36	+++ sysklogd-1.4.1/syslogd.c Mon Oct 8 07:40:35 2001
	37	@@ -491,6 +491,10 @@
	38	#include <arpa/nameser.h>
	39	#include <arpa/inet.h>
	40	#include <resolv.h>
	41	+
	42	+#include <pwd.h>
	43	+#include <grp.h>
	44	+
	45	#ifndef TESTING
	46	#include "pidfile.h"
	47	#endif
	48	@@ -737,6 +741,7 @@
	49	intermediate host. */
	50
	51	char bind_addr = NULL; / bind UDP port to this interface only */
	52	+char server_user = NULL; / user name to run server as */
	53
	54	extern int errno;
	55
	56	@@ -778,6 +783,21 @@
	57	static int create_inet_socket();
	58	#endif
	59
	60	+static int drop_root(void)
	61	+{
	62	+ struct passwd *pw;
	63	+
	64	+ if (!(pw = getpwnam(server_user))) return -1;
65	+
66	+ if (!pw->pw_uid) return -1;
67	+
68	+ if (initgroups(server_user, pw->pw_gid)) return -1;
69	+ if (setgid(pw->pw_gid)) return -1;
70	+ if (setuid(pw->pw_uid)) return -1;
71	+
72	+ return 0;
73	+}
74	+
75	int main(argc, argv)
76	int argc;
77	char **argv;
78	@@ -831,7 +851,7 @@
79	funix[i] = -1;
80	}
81
82	- while ((ch = getopt(argc, argv, "a:dhf:i:l:m:np:rs:v")) != EOF)
83	+ while ((ch = getopt(argc, argv, "a:dhf:i:l:m:np:rs:u:v")) != EOF)
84	switch((char)ch) {
85	case 'a':
86	if (nfunix < MAXFUNIX)
87	@@ -884,6 +904,9 @@
88	}
89	StripDomains = crunch_list(optarg);
90	break;
91	+ case 'u':
92	+ server_user = optarg;
93	+ break;
94	case 'v':
95	printf("syslogd %s.%s\n", VERSION, PATCHLEVEL);
96	exit (0);
97	@@ -1031,6 +1054,11 @@
98	kill (ppid, SIGTERM);
99	#endif
100
101	+ if (server_user && drop_root()) {
102	+ dprintf("syslogd: failed to drop root\n");
103	+ exit(1);
104	+ }
105	+
106	/* Main loop begins here. */
107	for (;;) {
108	int nfds;
109	@@ -1185,7 +1213,7 @@
110	int usage()
111	{
112	fprintf(stderr, "usage: syslogd [-drvh] [-l hostlist] [-m markinterval] [-n] [-p path]\n" \
113	- " [-s domainlist] [-f conffile] [-i IP address]\n");
114	+ " [-s domainlist] [-f conffile] [-i IP address] [-u username]\n");
115	exit(1);
116	}
117