From: Vincent Bernat <bernat@luffy.cx>
Date: Sat, 15 Nov 2008 15:33:15 +0000 (+0100)
Subject: First try to make SNMP agent work with privilege separation
X-Git-Tag: 0.2~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2993d83a99fcaf458d2715f1dee331f16ede787;p=thirdparty%2Flldpd.git

First try to make SNMP agent work with privilege separation
---

diff --git a/src/lldpd.c b/src/lldpd.c
index a235d056..5310c343 100644
--- a/src/lldpd.c
+++ b/src/lldpd.c
@@ -24,6 +24,7 @@
 #include <fcntl.h>
 #include <fnmatch.h>
 #include <time.h>
+#include <libgen.h>
 #include <sys/utsname.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -1347,11 +1348,37 @@ main(int argc, char *argv[])
 	}
 
 	log_init(debug);
-	priv_init(
+
 #ifdef USE_SNMP
-		snmp
-#endif
-);
+	if (NETSNMP_AGENTX_SOCKET[0] == '/') {
+		/* AgentX socket is a file, we need to mangle it to be able to chroot */
+		char *caxsocket;
+		char *chrootdir;
+		char *axsocket;
+
+		/* We chroot into the directory containing the socket. At this
+		 * point of the program, no config file has been read. If the
+		 * socket is not in the default directory, this won't work. */
+		caxsocket = strdup(NETSNMP_AGENTX_SOCKET);
+		chrootdir = strdup(dirname(caxsocket));
+		free(caxsocket);
+		priv_init(chrootdir);
+		free(chrootdir);
+
+		/* We mangle the name of the socket since it is in the current directory */
+		caxsocket = strdup(NETSNMP_AGENTX_SOCKET);
+		axsocket = strdup(basename(caxsocket));
+		free(caxsocket);
+		netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID,
+		    NETSNMP_DS_AGENT_X_SOCKET,
+		    axsocket);
+		free(axsocket);
+	} else
+		/* Let's suppose that we can chroot normally */
+		priv_init(PRIVSEP_CHROOT);
+#else
+	priv_init(PRIVSEP_CHROOT);
+#endif	
 
 	if (probe == 0) probe = LLDPD_TTL;
 
diff --git a/src/lldpd.h b/src/lldpd.h
index 61614ccd..725cebe7 100644
--- a/src/lldpd.h
+++ b/src/lldpd.h
@@ -328,7 +328,7 @@ void	 client_handle_shutdown(struct lldpd *, struct hmsg *,
 	    struct hmsg *);
 
 /* priv.c */
-void	 priv_init();
+void	 priv_init(char*);
 void	 priv_fork();
 int 	 priv_ctl_create();
 void	 priv_ctl_cleanup();
diff --git a/src/priv.c b/src/priv.c
index ee858af2..329e1ef0 100644
--- a/src/priv.c
+++ b/src/priv.c
@@ -446,11 +446,7 @@ sig_chld(int sig)
 
 /* Initialization */
 void
-#ifdef USE_SNMP
-priv_init(int snmp)
-#else
-priv_init()
-#endif
+priv_init(char *chrootdir)
 {
 	int pair[2];
 	struct passwd *user;
@@ -477,7 +473,7 @@ priv_init()
 	switch (monitored) {
 	case 0:
 		/* We are in the children, drop privileges */
-		if (chroot(PRIVSEP_CHROOT) == -1)
+		if (chroot(chrootdir) == -1)
 			fatal("[priv]: unable to chroot");
 		if (chdir("/") != 0)
 			fatal("[priv]: unable to chdir");