First try to make SNMP agent work with privilege separation

diff --git a/src/lldpd.c b/src/lldpd.c
index a235d0566e8aac9984c9b44f2093738b4f30a8aa..5310c343bb8a49b85c2582b98e578473fe5a69b4 100644 (file)
--- a/src/lldpd.c
+++ b/src/lldpd.c
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <fnmatch.h>
 #include <time.h>
+#include <libgen.h>
 #include <sys/utsname.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -1347,11 +1348,37 @@ main(int argc, char *argv[])
        }
 
        log_init(debug);
-       priv_init(
+
 #ifdef USE_SNMP
-               snmp
-#endif
-);
+       if (NETSNMP_AGENTX_SOCKET[0] == '/') {
+               /* AgentX socket is a file, we need to mangle it to be able to chroot */
+               char *caxsocket;
+               char *chrootdir;
+               char *axsocket;
+
+               /* We chroot into the directory containing the socket. At this
+                * point of the program, no config file has been read. If the
+                * socket is not in the default directory, this won't work. */
+               caxsocket = strdup(NETSNMP_AGENTX_SOCKET);
+               chrootdir = strdup(dirname(caxsocket));
+               free(caxsocket);
+               priv_init(chrootdir);
+               free(chrootdir);
+
+               /* We mangle the name of the socket since it is in the current directory */
+               caxsocket = strdup(NETSNMP_AGENTX_SOCKET);
+               axsocket = strdup(basename(caxsocket));
+               free(caxsocket);
+               netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
+                   NETSNMP_DS_AGENT_X_SOCKET,
+                   axsocket);
+               free(axsocket);
+       } else
+               /* Let's suppose that we can chroot normally */
+               priv_init(PRIVSEP_CHROOT);
+#else
+       priv_init(PRIVSEP_CHROOT);
+#endif 
 
        if (probe == 0) probe = LLDPD_TTL;
 

diff --git a/src/lldpd.h b/src/lldpd.h
index 61614ccd7f89956aa4d8024d81cc1640a4d6c18e..725cebe7ed332b2473a36267edeacaf500ddf95f 100644 (file)
--- a/src/lldpd.h
+++ b/src/lldpd.h
@@ -328,7 +328,7 @@ void         client_handle_shutdown(struct lldpd *, struct hmsg *,
            struct hmsg *);
 
 /* priv.c */
-void    priv_init();
+void    priv_init(char*);
 void    priv_fork();
 int     priv_ctl_create();
 void    priv_ctl_cleanup();

diff --git a/src/priv.c b/src/priv.c
index ee858af21be5233fc99f75c2878e5072250e139e..329e1ef02cea8836976cdb3f290ad9327b39f8ba 100644 (file)
--- a/src/priv.c
+++ b/src/priv.c
@@ -446,11 +446,7 @@ sig_chld(int sig)
 
 /* Initialization */
 void
-#ifdef USE_SNMP
-priv_init(int snmp)
-#else
-priv_init()
-#endif
+priv_init(char *chrootdir)
 {
        int pair[2];
        struct passwd *user;
@@ -477,7 +473,7 @@ priv_init()
        switch (monitored) {
        case 0:
                /* We are in the children, drop privileges */
-               if (chroot(PRIVSEP_CHROOT) == -1)
+               if (chroot(chrootdir) == -1)
                        fatal("[priv]: unable to chroot");
                if (chdir("/") != 0)
                        fatal("[priv]: unable to chdir");