From: yasuoka Date: Fri, 9 Feb 2024 07:41:32 +0000 (+0000) Subject: Add nochroot parameter to module_drop_privilege() so that modules can X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=edd79a0ef132fbd51e7df9fae7e84e36be5ffaf8;p=openbsd Add nochroot parameter to module_drop_privilege() so that modules can use unveil(2) instead of chroot(2) if need. --- diff --git a/usr.sbin/radiusd/radiusd_bsdauth.c b/usr.sbin/radiusd/radiusd_bsdauth.c index 69907bf9a95..9f37ffa74dd 100644 --- a/usr.sbin/radiusd/radiusd_bsdauth.c +++ b/usr.sbin/radiusd/radiusd_bsdauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_bsdauth.c,v 1.15 2023/08/18 06:12:27 yasuoka Exp $ */ +/* $OpenBSD: radiusd_bsdauth.c,v 1.16 2024/02/09 07:41:32 yasuoka Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko @@ -247,7 +247,7 @@ module_bsdauth_main(void) &module_bsdauth_handlers)) == NULL) err(1, "Could not create a module instance"); - module_drop_privilege(module_bsdauth.base); + module_drop_privilege(module_bsdauth.base, 0); module_load(module_bsdauth.base); imsg_init(&module_bsdauth.ibuf, 3); diff --git a/usr.sbin/radiusd/radiusd_module.c b/usr.sbin/radiusd/radiusd_module.c index 0b482a14049..85236db2cd3 100644 --- a/usr.sbin/radiusd/radiusd_module.c +++ b/usr.sbin/radiusd/radiusd_module.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_module.c,v 1.15 2024/01/08 04:16:48 yasuoka Exp $ */ +/* $OpenBSD: radiusd_module.c,v 1.16 2024/02/09 07:41:32 yasuoka Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko @@ -162,7 +162,7 @@ module_load(struct module_base *base) } void -module_drop_privilege(struct module_base *base) +module_drop_privilege(struct module_base *base, int nochroot) { struct passwd *pw; @@ -171,7 +171,7 @@ module_drop_privilege(struct module_base *base) /* Drop the privilege */ if ((pw = getpwnam(RADIUSD_USER)) == NULL) goto on_fail; - if (chroot(pw->pw_dir) == -1) + if (nochroot == 0 && chroot(pw->pw_dir) == -1) goto on_fail; if (chdir("/") == -1) goto on_fail; diff --git a/usr.sbin/radiusd/radiusd_module.h b/usr.sbin/radiusd/radiusd_module.h index 6b993adc213..5fb44513fd6 100644 --- a/usr.sbin/radiusd/radiusd_module.h +++ b/usr.sbin/radiusd/radiusd_module.h @@ -60,7 +60,7 @@ void module_stop(struct module_base *); int module_run(struct module_base *); void module_destroy(struct module_base *); void module_load(struct module_base *); -void module_drop_privilege(struct module_base *); +void module_drop_privilege(struct module_base *, int); int module_notify_secret(struct module_base *, const char *); int module_send_message(struct module_base *, uint32_t, diff --git a/usr.sbin/radiusd/radiusd_radius.c b/usr.sbin/radiusd/radiusd_radius.c index 3b3b67ea564..c0aa8f82533 100644 --- a/usr.sbin/radiusd/radiusd_radius.c +++ b/usr.sbin/radiusd/radiusd_radius.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_radius.c,v 1.19 2023/09/04 10:49:20 yasuoka Exp $ */ +/* $OpenBSD: radiusd_radius.c,v 1.20 2024/02/09 07:41:32 yasuoka Exp $ */ /* * Copyright (c) 2013 Internet Initiative Japan Inc. @@ -125,7 +125,7 @@ main(int argc, char *argv[]) if ((module_radius.base = module_create( STDIN_FILENO, &module_radius, &module_radius_handlers)) == NULL) err(1, "Could not create a module instance"); - module_drop_privilege(module_radius.base); + module_drop_privilege(module_radius.base, 0); setproctitle("[main]"); module_load(module_radius.base); diff --git a/usr.sbin/radiusd/radiusd_standard.c b/usr.sbin/radiusd/radiusd_standard.c index 115748340d1..f819e3b4723 100644 --- a/usr.sbin/radiusd/radiusd_standard.c +++ b/usr.sbin/radiusd/radiusd_standard.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_standard.c,v 1.3 2024/02/06 10:53:20 yasuoka Exp $ */ +/* $OpenBSD: radiusd_standard.c,v 1.4 2024/02/09 07:41:32 yasuoka Exp $ */ /* * Copyright (c) 2013, 2023 Internet Initiative Japan Inc. @@ -74,7 +74,7 @@ main(int argc, char *argv[]) STDIN_FILENO, &module_standard, &handlers)) == NULL) err(1, "Could not create a module instance"); - module_drop_privilege(module_standard.base); + module_drop_privilege(module_standard.base, 0); if (pledge("stdio", NULL) == -1) err(1, "pledge");