Change owner of the control socket to _lldpd._lldpd

diff --git a/README b/README
index 1686de30ba97522195549ea5d901ac23dc5cfe91..6586005819771778c3446cb4e3a1326d3b08b549 100644 (file)
--- a/README
+++ b/README
@@ -28,7 +28,9 @@ are cooperating. You need to create a user called "_lldpd" in a group
 create an empty directory "/var/run/lldpd" (it needs to be owned by
 root, not "_lldpd"!).
 
-lldpctl allows to query information collected through the command line.
+lldpctl allows to query information collected through the command
+line. If you don't want to run it as root, just install it setuid or
+setgid _lldpd.
 
 lldpd also implements CDP (Cisco Discovery Protocol), FDP (Foundry
 Discovery Protocol), SONMP (Nortel Discovery Protocol) and EDP

diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644 (file)
index 0000000..042817b
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,4 @@
+If you want to run lldpctl as normal user, just put yourself in _lldpd
+group.
+
+ -- Vincent Bernat <bernat@debian.org>, Sun, 16 Nov 2008 20:24:18 +0100

diff --git a/debian/postinst b/debian/postinst
index a3914c2446208dd697a699dcba040fef5283eef9..e8a714d0feb8c80e6dbb27b1f9a640ce1c3ffb82 100644 (file)
--- a/debian/postinst
+++ b/debian/postinst
@@ -8,6 +8,12 @@ adduser --system --disabled-password --disabled-login --home /var/run/lldpd \
                --no-create-home --quiet --force-badname --group _lldpd
 [ -d /var/run/lldpd ] || mkdir -p /var/run/lldpd
 
+for i in /usr/sbin/lldpctl; do
+  if ! dpkg-statoverride --list $i > /dev/null 2>&1; then
+    dpkg-statoverride --update --add _lldpd _lldpd 4750 $i
+  fi
+done
+
 #DEBHELPER#
 
 exit 0

diff --git a/debian/postrm b/debian/postrm
index b62500a107ca0081f77a7d085e34025009a862e6..3107c6d53d913e48921653ed6673faf49770aab1 100644 (file)
--- a/debian/postrm
+++ b/debian/postrm
@@ -4,6 +4,7 @@
 
 case "$1" in
     purge)
+       dpkg-statoverride --remove /usr/sbin/lldpctl
         deluser --system _lldpd || true
         delgroup --system _lldpd || true
 

diff --git a/src/priv.c b/src/priv.c
index 0fc1c446ef6acfd00dd1410ae0b4f56a40eb1abb..2828414b4eef7e01d29108d5ee0aeea4ab2dc768 100644 (file)
--- a/src/priv.c
+++ b/src/priv.c
@@ -61,6 +61,10 @@ int remote;                  /* Other side */
 int monitored = -1;            /* Child */
 int sock = -1;
 
+/* UID/GID of unprivileged user */
+gid_t gid = 0;
+uid_t uid = 0;
+
 /* Proxies */
 
 void
@@ -233,6 +237,12 @@ asroot_ctl_create()
                must_write(remote, &rc, sizeof(int));
                return;
        }
+       if (chown(LLDPD_CTL_SOCKET, uid, gid) == -1)
+               LLOG_WARN("[priv]: unable to chown control socket");
+       if (chmod(LLDPD_CTL_SOCKET,
+               S_IRUSR | S_IWUSR | S_IXUSR |
+               S_IRGRP | S_IWGRP | S_IXGRP) == -1)
+               LLOG_WARN("[priv]: unable to chmod control socket");
        must_write(remote, &rc, sizeof(int));
        send_fd(remote, rc);
        close(rc);
@@ -428,13 +438,13 @@ asroot_snmp_socket()
        addr->sun_path[sizeof(addr->sun_path)-1] = '\0';
 
        if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) {
-               LLOG_WARN("cannot open socket");
+               LLOG_WARN("[priv]: cannot open socket");
                must_write(remote, &sock, sizeof(int));
                return;
        }
         if ((rc = connect(sock, (struct sockaddr *) addr,
                    sizeof(struct sockaddr_un))) != 0) {
-               LLOG_WARN("cannot connect to %s", addr->sun_path);
+               LLOG_WARN("[priv]: cannot connect to %s", addr->sun_path);
                close(sock);
                rc = -1;
                must_write(remote, &rc, sizeof(int));
@@ -521,9 +531,7 @@ priv_init(char *chrootdir)
 {
        int pair[2];
        struct passwd *user;
-       uid_t uid;
        struct group *group;
-       gid_t gid;
        gid_t gidset[1];
 
        /* Create socket pair */