[OpenWrt-Devel] [PATCH][RESEND] lldpd: add option to disable priviledge separation
Alexandru Ardelean
ardeleanalex at gmail.com
Mon Mar 23 11:40:35 EDT 2015
On Mon, Mar 23, 2015 at 5:28 PM, Stijn Tintel <stijn at linux-ipv6.be> wrote:
> On 23-03-15 12:31, Alexandru Ardelean wrote:
> > Helpful to disable when debugging lldpd crashes (when working on it).
> > When priviledge separation is on, some crashes are stack-traced to
> > some priviledge separation code.
> Nitpicking, but the correct spelling is "privilege".
> > Signed-off-by: Alexandru Ardelean <ardeleanalex at gmail.com>
> > ---
> > package/network/services/lldpd/Config.in | 5 ++
> > package/network/services/lldpd/Makefile | 2 +
> > ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73
> ++++++++++++++++++++++
> > 3 files changed, 80 insertions(+)
> > create mode 100644
> package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> >
> > diff --git a/package/network/services/lldpd/Config.in
> b/package/network/services/lldpd/Config.in
> > index a416490..4a8b5e7d 100644
> > --- a/package/network/services/lldpd/Config.in
> > +++ b/package/network/services/lldpd/Config.in
> > @@ -1,6 +1,11 @@
> > menu "Configuration"
> > depends on PACKAGE_lldpd
> >
> > +config LLDPD_WITH_PRIVSEP
> > + bool
> > + default y
> > + prompt "Enable priviledge separation (run lldpd with a chrooted
> 'lldpd' user)"
> Id.
> > +
> > config LLDPD_WITH_CDP
> > bool
> > default y
> > diff --git a/package/network/services/lldpd/Makefile
> b/package/network/services/lldpd/Makefile
> > index ff367f1..d80840e 100644
> > --- a/package/network/services/lldpd/Makefile
> > +++ b/package/network/services/lldpd/Makefile
> > @@ -85,9 +85,11 @@ define Package/lldpd/conffiles
> > endef
> >
> > CONFIGURE_ARGS += \
> > + $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
> > --with-privsep-user=lldp \
> > --with-privsep-group=lldp \
> > --with-privsep-chroot=/var/run/lldp \
> > + ,--disable-privsep) \
> > --with-readline=no \
> > --with-embedded-libevent=no \
> > $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
> > diff --git
> a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> > new file mode 100644
> > index 0000000..907c21b
> > --- /dev/null
> > +++
> b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> > @@ -0,0 +1,73 @@
> > +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
> > +From: Vincent Bernat <vincent at bernat.im>
> > +Date: Thu, 12 Feb 2015 08:07:43 +0100
> > +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
> > +
> > +Closes #95
> > +---
> > + src/daemon/lldpd.c | 10 ++++++++++
> > + 1 file changed, 10 insertions(+)
> > +
> > +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
> > +index f868fc7..6a3a160 100644
> > +--- a/src/daemon/lldpd.c
> > ++++ b/src/daemon/lldpd.c
> > +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > + int receiveonly = 0;
> > + int ctl;
> > +
> > ++#ifdef ENABLE_PRIVSEP
> > + /* Non privileged user */
> > + struct passwd *user;
> > + struct group *group;
> > + uid_t uid;
> > + gid_t gid;
> > ++#endif
> > +
> > + saved_argv = argv;
> > +
> > +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > + log_debug("main", "lldpd starting...");
> > +
> > + /* Grab uid and gid to use for priv sep */
> > ++#ifdef ENABLE_PRIVSEP
> > + if ((user = getpwnam(PRIVSEP_USER)) == NULL)
> > + fatal("main", "no " PRIVSEP_USER " user for privilege
> separation");
> > + uid = user->pw_uid;
> > + if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
> > + fatal("main", "no " PRIVSEP_GROUP " group for privilege
> separation");
> > + gid = group->gr_gid;
> > ++#endif
> > +
> > + /* Create and setup socket */
> > + int retry = 1;
> > +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > + log_warn("main", "unable to create control socket");
> > + fatalx("giving up");
> > + }
> > ++#ifdef ENABLE_PRIVSEP
> > + if (chown(ctlname, uid, gid) == -1)
> > + log_warn("main", "unable to chown control socket");
> > + if (chmod(ctlname,
> > + S_IRUSR | S_IWUSR | S_IXUSR |
> > + S_IRGRP | S_IWGRP | S_IXGRP) == -1)
> > + log_warn("main", "unable to chmod control socket");
> > ++#endif
> > +
> > + /* Disable SIGPIPE */
> > + signal(SIGPIPE, SIG_IGN);
> > +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > + }
> > +
> > + log_debug("main", "initialize privilege separation");
> > ++#ifdef ENABLE_PRIVSEP
> > + priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
> > ++#else
> > ++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
> > ++#endif
> > +
> > + /* Initialization of global configuration */
> > + if ((cfg = (struct lldpd *)
> > +--
> > +2.1.2
> > +
> Kind regards,
> Stijn
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
Will re-send.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150323/e98cb48a/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list