#ifdef FEAT_PRIVDROP
#include <sys/prctl.h>
#include <sys/capability.h>
-#include <grp.h>
#endif
#ifdef FEAT_SCFILTER
#include "sys_timex.h"
#include "conf.h"
#include "logging.h"
+#include "util.h"
/* Frequency scale to convert from ppm to the timex freq */
#define FREQ_SCALE (double)(1 << 16)
LOG_FATAL(LOGF_SysLinux, "prctl() failed");
}
- if (setgroups(0, NULL)) {
- LOG_FATAL(LOGF_SysLinux, "setgroups() failed");
- }
-
- if (setgid(gid)) {
- LOG_FATAL(LOGF_SysLinux, "setgid(%d) failed", gid);
- }
-
- if (setuid(uid)) {
- LOG_FATAL(LOGF_SysLinux, "setuid(%d) failed", uid);
- }
+ UTI_DropRoot(uid, gid);
if ((cap = cap_from_text("cap_net_bind_service,cap_sys_time=ep")) == NULL) {
LOG_FATAL(LOGF_SysLinux, "cap_from_text() failed");
}
cap_free(cap);
-
- DEBUG_LOG(LOGF_SysLinux, "Root dropped to uid %d gid %d", uid, gid);
}
#endif
{
PRV_StartHelper();
- if (setgroups(0, NULL))
- LOG_FATAL(LOGF_SysMacOSX, "setgroups() failed : %s", strerror(errno));
-
- if (setgid(gid))
- LOG_FATAL(LOGF_SysMacOSX, "setgid(%d) failed : %s", gid, strerror(errno));
-
- if (setuid(uid))
- LOG_FATAL(LOGF_SysMacOSX, "setuid(%d) failed : %s", uid, strerror(errno));
-
- DEBUG_LOG(LOGF_SysMacOSX, "Root dropped to uid %d gid %d", uid, gid);
+ UTI_DropRoot(uid, gid);
}
#endif
PRV_StartHelper();
- if (setgroups(0, NULL))
- LOG_FATAL(LOGF_SysNetBSD, "setgroups() failed : %s", strerror(errno));
-
- if (setgid(gid))
- LOG_FATAL(LOGF_SysNetBSD, "setgid(%d) failed : %s", gid, strerror(errno));
-
- if (setuid(uid))
- LOG_FATAL(LOGF_SysNetBSD, "setuid(%d) failed : %s", uid, strerror(errno));
-
- DEBUG_LOG(LOGF_SysNetBSD, "Root dropped to uid %d gid %d", uid, gid);
+ UTI_DropRoot(uid, gid);
/* Check if we have write access to /dev/clockctl */
fd = open("/dev/clockctl", O_WRONLY);
#include <fcntl.h>
#include <float.h>
#include <glob.h>
+#include <grp.h>
#include <math.h>
#include <netdb.h>
#include <netinet/in.h>
/* ================================================== */
+void
+UTI_DropRoot(uid_t uid, gid_t gid)
+{
+ /* Drop supplementary groups */
+ if (setgroups(0, NULL))
+ LOG_FATAL(LOGF_Util, "setgroups() failed : %s", strerror(errno));
+
+ /* Set effective, saved and real group ID */
+ if (setgid(gid))
+ LOG_FATAL(LOGF_Util, "setgid(%d) failed : %s", gid, strerror(errno));
+
+ /* Set effective, saved and real user ID */
+ if (setuid(uid))
+ LOG_FATAL(LOGF_Util, "setuid(%d) failed : %s", uid, strerror(errno));
+
+ DEBUG_LOG(LOGF_Util, "Dropped root privileges: UID %d GID %d", uid, gid);
+}
+
+/* ================================================== */
+
#define DEV_URANDOM "/dev/urandom"
void
permissions and its uid/gid must match the specified values. */
extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
+/* Set process user/group IDs and drop supplementary groups */
+extern void UTI_DropRoot(uid_t uid, gid_t gid);
+
/* Fill buffer with random bytes */
extern void UTI_GetRandomBytes(void *buf, unsigned int len);
projects / thirdparty / chrony.git / commitdiff
