[Define to 1 to include DHCPv6 support.])
fi
+# PARANOIA is off by default (until we can test it with all features)
+AC_ARG_ENABLE(paranoia,
+ AC_HELP_STRING([--enable-paranoia],
+ [enable support for chroot/setuid (default is no)]))
+AC_ARG_ENABLE(early_chroot,
+ AC_HELP_STRING([--eanble-early-chroot],
+ [enable chrooting prior to configuration (default is no)]))
+# If someone enables early chroot, but does not enable paranoia, do so for
+# them.
+if test "$enable_paranoia" != "yes" && \
+ test "$enable_early_chroot" = "yes" ; then
+ enable_paranoia="yes"
+fi
+
+if test "$enable_paranoia" = "yes" ; then
+ AC_DEFINE([PARANOIA], [1],
+ [Define to any value to include Ari's PARANOIA patch.])
+fi
+if test "$enable_early_chroot" = "yes" ; then
+ AC_DEFINE([EARLY_CHROOT], [1],
+ [Define to any value to chroot() prior to loading config.])
+fi
+
###
### Path fun. Older versions of DHCP were installed in /usr/sbin, so we
### need to look there and potentially overwrite by default (but not if
#include <sys/time.h>
#include <signal.h>
+#if defined (PARANOIA)
+# include <sys/types.h>
+# include <unistd.h>
+# include <pwd.h>
+/* get around the ISC declaration of group */
+# define group real_group
+# include <grp.h>
+# undef group
+#endif /* PARANOIA */
+
static void usage(void);
struct iaddr server_identifier;
omapi_object_dereference (&listener, MDL);
}
+#if defined (PARANOIA)
+/* to be used in one of two possible scenarios */
+static void setup_chroot (char *chroot_dir) {
+ if (geteuid())
+ log_fatal ("you must be root to use chroot");
+
+ if (chroot(chroot_dir)) {
+ log_fatal ("chroot(\"%s\"): %m", chroot_dir);
+ }
+ if (chdir ("/")) {
+ /* probably permission denied */
+ log_fatal ("chdir(\"/\"): %m");
+ }
+}
+#endif /* PARANOIA */
+
#ifndef UNIT_TEST
int
main(int argc, char **argv) {
char *traceoutfile = (char *)0;
#endif
+#if defined (PARANOIA)
+ char *set_user = 0;
+ char *set_group = 0;
+ char *set_chroot = 0;
+
+ uid_t set_uid = 0;
+ gid_t set_gid = 0;
+#endif /* PARANOIA */
+
/* Make sure that file descriptors 0 (stdin), 1, (stdout), and
2 (stderr) are open. To do this, we assume that when we
open a file the lowest available file descriptor is used. */
if (++i == argc)
usage ();
server = argv [i];
+#if defined (PARANOIA)
+ } else if (!strcmp (argv [i], "-user")) {
+ if (++i == argc)
+ usage ();
+ set_user = argv [i];
+ } else if (!strcmp (argv [i], "-group")) {
+ if (++i == argc)
+ usage ();
+ set_group = argv [i];
+ } else if (!strcmp (argv [i], "-chroot")) {
+ if (++i == argc)
+ usage ();
+ set_chroot = argv [i];
+#endif /* PARANOIA */
} else if (!strcmp (argv [i], "-cf")) {
if (++i == argc)
usage ();
trace_seed_stop, MDL);
#endif
+#if defined (PARANOIA)
+ /* get user and group info if those options were given */
+ if (set_user) {
+ struct passwd *tmp_pwd;
+
+ if (geteuid())
+ log_fatal ("you must be root to set user");
+
+ if (!(tmp_pwd = getpwnam(set_user)))
+ log_fatal ("no such user: %s", set_user);
+
+ set_uid = tmp_pwd->pw_uid;
+
+ /* use the user's group as the default gid */
+ if (!set_group)
+ set_gid = tmp_pwd->pw_gid;
+ }
+
+ if (set_group) {
+/* get around the ISC declaration of group */
+#define group real_group
+ struct group *tmp_grp;
+
+ if (geteuid())
+ log_fatal ("you must be root to set group");
+
+ if (!(tmp_grp = getgrnam(set_group)))
+ log_fatal ("no such group: %s", set_group);
+
+ set_gid = tmp_grp->gr_gid;
+#undef group
+ }
+
+# if defined (EARLY_CHROOT)
+ if (set_chroot) setup_chroot (set_chroot);
+# endif /* EARLY_CHROOT */
+#endif /* PARANOIA */
+
/* Default to the DHCP/BOOTP port. */
if (!local_port)
{
log_fatal ("Configuration file errors encountered -- exiting");
postconf_initialization (quiet);
+
+#if defined (PARANOIA) && !defined (EARLY_CHROOT)
+ if (set_chroot) setup_chroot (set_chroot);
+#endif /* PARANOIA && !EARLY_CHROOT */
/* test option should cause an early exit */
if (cftest && !lftest)
else if (pid)
exit (0);
}
+
+#if defined (PARANOIA)
+ /* change uid to the specified one */
+
+ if (set_gid) {
+ if (setgroups (0, (void *)0))
+ log_fatal ("setgroups: %m");
+ if (setgid (set_gid))
+ log_fatal ("setgid(%d): %m", (int) set_gid);
+ }
+
+ if (set_uid) {
+ if (setuid (set_uid))
+ log_fatal ("setuid(%d): %m", (int) set_uid);
+ }
+#endif /* PARANOIA */
/* Read previous pid file. */
if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
#else /* !DHCPv6 */
" [-cf config-file] [-lf lease-file]\n"
#endif /* DHCPv6 */
+#if defined (PARANOIA)
+ /* meld into the following string */
+ " [-user user] [-group group] [-chroot dir]\n"
+#endif /* PARANOIA */
#if defined (TRACING)
" [-tf trace-output-file]\n"
" [-play trace-input-file]\n"
projects / thirdparty / dhcp.git / commitdiff
