Commit 7ba980f0 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Modify slapd set user/group support to use -u/-g instead -U/-G.

Moved -u (udp) to -c (connectionless).  Connectionless is depreciated
and undocumented.
Added tests for set{,e}{u,g}id to configure.  Use existance of
setuid/setgid to enable feature.  Use seteuid/setegid only if
they exist.
Fixed minor minor leak of username/groupname if specificied
more than once.  (This should actually be an error)
parent 82348ef0
......@@ -47,12 +47,7 @@ these steps:
See the 'USING ENVIRONMENT VARIABLES' section for information
on how to use the variables.
3. edit the file include/ldapconfig.h.edit to configure
the software for your site (the files are well-commented):
% vi include/ldapconfig.h.edit
4. Configure the build system
3. Configure the build system
% [env settings] ./configure [options]
......@@ -60,6 +55,11 @@ these steps:
appropriate settings. Use configure enable/with options and/or
environment variables to obtain desired results.
4. Review the file include/ldapconfig.h.edit.
You generally do not need to modify this file.
% vi include/ldapconfig.h.edit
5. Build dependencies
% make depend
......
......@@ -10808,12 +10808,13 @@ for ac_func in \
endgrent \
endpwent \
flock \
getdtablesize \
getdtablesize \
getgrgid \
gethostname \
getpass \
getpwuid \
gettimeofday \
gettimeofday \
initgroups \
lockf \
memcpy \
memmove \
......@@ -10821,7 +10822,11 @@ for ac_func in \
recv \
recvfrom \
setpwfile \
setgid \
setegid \
setsid \
setuid \
seteuid \
signal \
sigset \
snprintf \
......@@ -10840,12 +10845,12 @@ for ac_func in \
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:10844: checking for $ac_func" >&5
echo "configure:10849: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 10849 "configure"
#line 10854 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
......@@ -10868,7 +10873,7 @@ $ac_func();
; return 0; }
EOF
if { (eval echo configure:10872: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:10877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
......@@ -10896,12 +10901,12 @@ done
for ac_func in getopt tempnam
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:10900: checking for $ac_func" >&5
echo "configure:10905: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 10905 "configure"
#line 10910 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
......@@ -10924,7 +10929,7 @@ $ac_func();
; return 0; }
EOF
if { (eval echo configure:10928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:10933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
......@@ -10954,13 +10959,13 @@ done
# Check Configuration
echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6
echo "configure:10958: checking declaration of sys_errlist" >&5
echo "configure:10963: checking declaration of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 10964 "configure"
#line 10969 "configure"
#include "confdefs.h"
#include <stdio.h>
......@@ -10970,7 +10975,7 @@ int main() {
char *c = (char *) *sys_errlist
; return 0; }
EOF
if { (eval echo configure:10974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:10979: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_dcl_sys_errlist=yes
else
......@@ -10990,20 +10995,20 @@ if test $ol_cv_dcl_sys_errlist = no ; then
EOF
echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6
echo "configure:10994: checking existence of sys_errlist" >&5
echo "configure:10999: checking existence of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 11000 "configure"
#line 11005 "configure"
#include "confdefs.h"
#include <errno.h>
int main() {
char *c = (char *) *sys_errlist
; return 0; }
EOF
if { (eval echo configure:11007: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:11012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
ol_cv_have_sys_errlist=yes
else
......@@ -11027,13 +11032,13 @@ fi
echo $ac_n "checking strdup declaration""... $ac_c" 1>&6
echo "configure:11031: checking strdup declaration" >&5
echo "configure:11036: checking strdup declaration" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 11037 "configure"
#line 11042 "configure"
#include "confdefs.h"
#include <string.h>
......@@ -11041,7 +11046,7 @@ int main() {
extern char *strdup();
; return 0; }
EOF
if { (eval echo configure:11045: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:11050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ol_cv_dcl_strdup=yes
else
......
......@@ -1541,12 +1541,13 @@ AC_CHECK_FUNCS( \
endgrent \
endpwent \
flock \
getdtablesize \
getdtablesize \
getgrgid \
gethostname \
getpass \
getpwuid \
gettimeofday \
gettimeofday \
initgroups \
lockf \
memcpy \
memmove \
......@@ -1554,7 +1555,11 @@ AC_CHECK_FUNCS( \
recv \
recvfrom \
setpwfile \
setgid \
setegid \
setsid \
setuid \
seteuid \
signal \
sigset \
snprintf \
......
......@@ -5,7 +5,7 @@ slapd \- Stand-alone LDAP Daemon
.B LIBEXECDIR/slapd [\-d debug\-level]
.B [\-f slapd\-config\-file] [\-a address] [\-p port\-number]
.B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i]
.B [\-U user] [\-G group]
.B [\-u user] [\-g group]
.B
.SH DESCRIPTION
.LP
......@@ -99,14 +99,14 @@ Internet standard '.' format.
will listen on the default LDAP port (389) unless this option is given
to override the default. A numeric port number is expected.
.TP
.BI \-U " user"
.BI \-u " user"
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID
is also changed to this user's gid, unless the -G option is used to
is also changed to this user's gid, unless the -g option is used to
override.
.TP
.BI \-G " group"
.BI \-g " group"
.B slapd
will run with the specified group name or id.
.TP
......
......@@ -261,6 +261,9 @@
/* Define if you have the gettimeofday function. */
#undef HAVE_GETTIMEOFDAY
/* Define if you have the initgroups function. */
#undef HAVE_INITGROUPS
/* Define if you have the lockf function. */
#undef HAVE_LOCKF
......@@ -297,12 +300,24 @@
/* Define if you have the sched_yield function. */
#undef HAVE_SCHED_YIELD
/* Define if you have the setegid function. */
#undef HAVE_SETEGID
/* Define if you have the seteuid function. */
#undef HAVE_SETEUID
/* Define if you have the setgid function. */
#undef HAVE_SETGID
/* Define if you have the setpwfile function. */
#undef HAVE_SETPWFILE
/* Define if you have the setsid function. */
#undef HAVE_SETSID
/* Define if you have the setuid function. */
#undef HAVE_SETUID
/* Define if you have the signal function. */
#undef HAVE_SIGNAL
......
......@@ -57,15 +57,18 @@ static void
usage( char *name )
{
fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name );
fprintf( stderr, "\n [-a bind-address] [-i] [-u]" );
fprintf( stderr, "\n [-a bind-address] [-i]" );
#if LDAP_CONNECTIONLESS
fprintf( stderr, " [-c]" );
#endif
#ifdef SLAPD_BDB2
fprintf( stderr, " [-t]" );
#endif
#ifdef LOG_LOCAL4
fprintf( stderr, " [-l sysloguser]" );
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
fprintf( stderr, " [-U user] [-G group]" );
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
fprintf( stderr, " [-u user] [-g group]" );
#endif
fprintf( stderr, "\n" );
}
......@@ -84,7 +87,7 @@ main( int argc, char **argv )
#ifdef LOG_LOCAL4
int syslogUser = DEFAULT_SYSLOG_USER;
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
char *username = NULL, *groupname = NULL;
#endif
char *configfile;
......@@ -102,15 +105,15 @@ main( int argc, char **argv )
g_argv = argv;
while ( (i = getopt( argc, argv,
"d:f:ia:p:s:u"
"d:f:ia:p:s:c"
#ifdef LOG_LOCAL4
"l:"
#endif
#ifdef SLAPD_BDB2
"t"
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
"U:G:"
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
"u:g:"
#endif
)) != EOF ) {
switch ( i ) {
......@@ -195,9 +198,11 @@ main( int argc, char **argv )
break;
#endif
case 'u': /* do udp */
#ifdef LDAP_CONNECTIONLESS
case 'c': /* do connectionless (udp) */
udp = 1;
break;
#endif
#ifdef SLAPD_BDB2
case 't': /* timed server */
......@@ -205,15 +210,17 @@ main( int argc, char **argv )
break;
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
case 'U': /* user name */
#if defined(HAVE_SETUID) && defined(HAVE_GETUID)
case 'u': /* user name */
if( username ) free(username);
username = ch_strdup( optarg );
break;
case 'G': /* group name */
case 'g': /* group name */
if( groupname ) free(groupname);
groupname = ch_strdup( optarg );
break;
#endif /* HAVE_PWD_H && HAVE_GRP_H */
#endif /* SETUID && GETUID */
default:
usage( argv[0] );
......@@ -241,7 +248,7 @@ main( int argc, char **argv )
tcps = set_socket( inetd ? NULL : &bind_addr );
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
if ( username != NULL || groupname != NULL )
slap_init_user( username, groupname );
#endif
......
......@@ -11,12 +11,17 @@
#include "portable.h"
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
#if defined(HAVE_SETUID) && defined(HAVE_SETGID)
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef HAVE_GRP_H
#include <grp.h>
#endif
#include <ac/ctype.h>
#include <ac/unistd.h>
......@@ -31,7 +36,7 @@
void
slap_init_user( char *user, char *group )
{
uid_t uid = (gid_t) -1;
uid_t uid = (uid_t) -1;
gid_t gid = (gid_t) -1;
if ( user ) {
......@@ -104,11 +109,13 @@ slap_init_user( char *user, char *group )
gid, 0, 0 );
exit( 1 );
}
#ifdef HAVE_SETEGID
if ( setegid( gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
gid, 0, 0 );
exit( 1 );
}
#endif
}
if ( uid >= 0 ) {
......@@ -117,11 +124,13 @@ slap_init_user( char *user, char *group )
uid, 0, 0 );
exit( 1 );
}
#ifdef HAVE_SETEUID
if ( seteuid( uid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
uid, 0, 0 );
exit( 1 );
}
#endif
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment