From 7ba980f0f6cc645fdf8763f1a4a6597dfcf3c7c0 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Wed, 21 Apr 1999 00:40:20 +0000
Subject: [PATCH] Modify slapd set user/group support to use -u/-g instead
-U/-G. Moved -u (udp) to -c (connectionless). Connectionless is depreciated
and undocumented. Added tests for set{,e}{u,g}id to configure. Use existance
of setuid/setgid to enable feature. Use seteuid/setegid only if they exist.
Fixed minor minor leak of username/groupname if specificied more than once.
(This should actually be an error)
---
INSTALL | 12 ++++++------
configure | 39 ++++++++++++++++++++++-----------------
configure.in | 9 +++++++--
doc/man/man8/slapd.8 | 8 ++++----
include/portable.h.in | 15 +++++++++++++++
servers/slapd/main.c | 33 ++++++++++++++++++++-------------
servers/slapd/user.c | 13 +++++++++++--
7 files changed, 85 insertions(+), 44 deletions(-)
diff --git a/INSTALL b/INSTALL
index 3e3fbca00f..752ced0b3b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -47,12 +47,7 @@ these steps:
See the 'USING ENVIRONMENT VARIABLES' section for information
on how to use the variables.
- 3. edit the file include/ldapconfig.h.edit to configure
- the software for your site (the files are well-commented):
-
- % vi include/ldapconfig.h.edit
-
- 4. Configure the build system
+ 3. Configure the build system
% [env settings] ./configure [options]
@@ -60,6 +55,11 @@ these steps:
appropriate settings. Use configure enable/with options and/or
environment variables to obtain desired results.
+ 4. Review the file include/ldapconfig.h.edit.
+ You generally do not need to modify this file.
+
+ % vi include/ldapconfig.h.edit
+
5. Build dependencies
% make depend
diff --git a/configure b/configure
index 78e4202e26..c777719043 100755
--- a/configure
+++ b/configure
@@ -10808,12 +10808,13 @@ for ac_func in \
endgrent \
endpwent \
flock \
- getdtablesize \
+ getdtablesize \
getgrgid \
gethostname \
getpass \
getpwuid \
- gettimeofday \
+ gettimeofday \
+ initgroups \
lockf \
memcpy \
memmove \
@@ -10821,7 +10822,11 @@ for ac_func in \
recv \
recvfrom \
setpwfile \
+ setgid \
+ setegid \
setsid \
+ setuid \
+ seteuid \
signal \
sigset \
snprintf \
@@ -10840,12 +10845,12 @@ for ac_func in \
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:10844: checking for $ac_func" >&5
+echo "configure:10849: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10849 "configure"
+#line 10854 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
@@ -10868,7 +10873,7 @@ $ac_func();
; return 0; }
EOF
-if { (eval echo configure:10872: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
@@ -10896,12 +10901,12 @@ done
for ac_func in getopt tempnam
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:10900: checking for $ac_func" >&5
+echo "configure:10905: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10905 "configure"
+#line 10910 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
@@ -10924,7 +10929,7 @@ $ac_func();
; return 0; }
EOF
-if { (eval echo configure:10928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:10933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
@@ -10954,13 +10959,13 @@ done
# Check Configuration
echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6
-echo "configure:10958: checking declaration of sys_errlist" >&5
+echo "configure:10963: checking declaration of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 10964 "configure"
+#line 10969 "configure"
#include "confdefs.h"
#include <stdio.h>
@@ -10970,7 +10975,7 @@ int main() {
char *c = (char *) *sys_errlist
; return 0; }
EOF
-if { (eval echo configure:10974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:10979: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_dcl_sys_errlist=yes
else
@@ -10990,20 +10995,20 @@ if test $ol_cv_dcl_sys_errlist = no ; then
EOF
echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6
-echo "configure:10994: checking existence of sys_errlist" >&5
+echo "configure:10999: checking existence of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11000 "configure"
+#line 11005 "configure"
#include "confdefs.h"
#include <errno.h>
int main() {
char *c = (char *) *sys_errlist
; return 0; }
EOF
-if { (eval echo configure:11007: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:11012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_have_sys_errlist=yes
else
@@ -11027,13 +11032,13 @@ fi
echo $ac_n "checking strdup declaration""... $ac_c" 1>&6
-echo "configure:11031: checking strdup declaration" >&5
+echo "configure:11036: checking strdup declaration" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
-#line 11037 "configure"
+#line 11042 "configure"
#include "confdefs.h"
#include <string.h>
@@ -11041,7 +11046,7 @@ int main() {
extern char *strdup();
; return 0; }
EOF
-if { (eval echo configure:11045: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:11050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_dcl_strdup=yes
else
diff --git a/configure.in b/configure.in
index d5f1489c27..8bbe32b472 100644
--- a/configure.in
+++ b/configure.in
@@ -1541,12 +1541,13 @@ AC_CHECK_FUNCS( \
endgrent \
endpwent \
flock \
- getdtablesize \
+ getdtablesize \
getgrgid \
gethostname \
getpass \
getpwuid \
- gettimeofday \
+ gettimeofday \
+ initgroups \
lockf \
memcpy \
memmove \
@@ -1554,7 +1555,11 @@ AC_CHECK_FUNCS( \
recv \
recvfrom \
setpwfile \
+ setgid \
+ setegid \
setsid \
+ setuid \
+ seteuid \
signal \
sigset \
snprintf \
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index f1b89126a9..e8caad5874 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@ slapd \- Stand-alone LDAP Daemon
.B LIBEXECDIR/slapd [\-d debug\-level]
.B [\-f slapd\-config\-file] [\-a address] [\-p port\-number]
.B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i]
-.B [\-U user] [\-G group]
+.B [\-u user] [\-g group]
.B
.SH DESCRIPTION
.LP
@@ -99,14 +99,14 @@ Internet standard '.' format.
will listen on the default LDAP port (389) unless this option is given
to override the default. A numeric port number is expected.
.TP
-.BI \-U " user"
+.BI \-u " user"
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID
-is also changed to this user's gid, unless the -G option is used to
+is also changed to this user's gid, unless the -g option is used to
override.
.TP
-.BI \-G " group"
+.BI \-g " group"
.B slapd
will run with the specified group name or id.
.TP
diff --git a/include/portable.h.in b/include/portable.h.in
index 41703cdc0e..a7fa967975 100644
--- a/include/portable.h.in
+++ b/include/portable.h.in
@@ -261,6 +261,9 @@
/* Define if you have the gettimeofday function. */
#undef HAVE_GETTIMEOFDAY
+/* Define if you have the initgroups function. */
+#undef HAVE_INITGROUPS
+
/* Define if you have the lockf function. */
#undef HAVE_LOCKF
@@ -297,12 +300,24 @@
/* Define if you have the sched_yield function. */
#undef HAVE_SCHED_YIELD
+/* Define if you have the setegid function. */
+#undef HAVE_SETEGID
+
+/* Define if you have the seteuid function. */
+#undef HAVE_SETEUID
+
+/* Define if you have the setgid function. */
+#undef HAVE_SETGID
+
/* Define if you have the setpwfile function. */
#undef HAVE_SETPWFILE
/* Define if you have the setsid function. */
#undef HAVE_SETSID
+/* Define if you have the setuid function. */
+#undef HAVE_SETUID
+
/* Define if you have the signal function. */
#undef HAVE_SIGNAL
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index ee78c5d444..41b794936a 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -57,15 +57,18 @@ static void
usage( char *name )
{
fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name );
- fprintf( stderr, "\n [-a bind-address] [-i] [-u]" );
+ fprintf( stderr, "\n [-a bind-address] [-i]" );
+#if LDAP_CONNECTIONLESS
+ fprintf( stderr, " [-c]" );
+#endif
#ifdef SLAPD_BDB2
fprintf( stderr, " [-t]" );
#endif
#ifdef LOG_LOCAL4
fprintf( stderr, " [-l sysloguser]" );
#endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
- fprintf( stderr, " [-U user] [-G group]" );
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+ fprintf( stderr, " [-u user] [-g group]" );
#endif
fprintf( stderr, "\n" );
}
@@ -84,7 +87,7 @@ main( int argc, char **argv )
#ifdef LOG_LOCAL4
int syslogUser = DEFAULT_SYSLOG_USER;
#endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
char *username = NULL, *groupname = NULL;
#endif
char *configfile;
@@ -102,15 +105,15 @@ main( int argc, char **argv )
g_argv = argv;
while ( (i = getopt( argc, argv,
- "d:f:ia:p:s:u"
+ "d:f:ia:p:s:c"
#ifdef LOG_LOCAL4
"l:"
#endif
#ifdef SLAPD_BDB2
"t"
#endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
- "U:G:"
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
+ "u:g:"
#endif
)) != EOF ) {
switch ( i ) {
@@ -195,9 +198,11 @@ main( int argc, char **argv )
break;
#endif
- case 'u': /* do udp */
+#ifdef LDAP_CONNECTIONLESS
+ case 'c': /* do connectionless (udp) */
udp = 1;
break;
+#endif
#ifdef SLAPD_BDB2
case 't': /* timed server */
@@ -205,15 +210,17 @@ main( int argc, char **argv )
break;
#endif
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
- case 'U': /* user name */
+#if defined(HAVE_SETUID) && defined(HAVE_GETUID)
+ case 'u': /* user name */
+ if( username ) free(username);
username = ch_strdup( optarg );
break;
- case 'G': /* group name */
+ case 'g': /* group name */
+ if( groupname ) free(groupname);
groupname = ch_strdup( optarg );
break;
-#endif /* HAVE_PWD_H && HAVE_GRP_H */
+#endif /* SETUID && GETUID */
default:
usage( argv[0] );
@@ -241,7 +248,7 @@ main( int argc, char **argv )
tcps = set_socket( inetd ? NULL : &bind_addr );
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
if ( username != NULL || groupname != NULL )
slap_init_user( username, groupname );
#endif
diff --git a/servers/slapd/user.c b/servers/slapd/user.c
index e7d7252e01..e92598d800 100644
--- a/servers/slapd/user.c
+++ b/servers/slapd/user.c
@@ -11,12 +11,17 @@
#include "portable.h"
-#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
#include <stdio.h>
#include <stdlib.h>
+
+#ifdef HAVE_PWD_H
#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
#include <grp.h>
+#endif
#include <ac/ctype.h>
#include <ac/unistd.h>
@@ -31,7 +36,7 @@
void
slap_init_user( char *user, char *group )
{
- uid_t uid = (gid_t) -1;
+ uid_t uid = (uid_t) -1;
gid_t gid = (gid_t) -1;
if ( user ) {
@@ -104,11 +109,13 @@ slap_init_user( char *user, char *group )
gid, 0, 0 );
exit( 1 );
}
+#ifdef HAVE_SETEGID
if ( setegid( gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
gid, 0, 0 );
exit( 1 );
}
+#endif
}
if ( uid >= 0 ) {
@@ -117,11 +124,13 @@ slap_init_user( char *user, char *group )
uid, 0, 0 );
exit( 1 );
}
+#ifdef HAVE_SETEUID
if ( seteuid( uid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
uid, 0, 0 );
exit( 1 );
}
+#endif
}
}
--
GitLab