diff options
Diffstat (limited to 'ipa-server')
-rw-r--r-- | ipa-server/ipa-gui/ipa_webgui | 23 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipa_webgui.init | 2 | ||||
-rw-r--r-- | ipa-server/ipa-kpasswd/ipa_kpasswd.c | 16 |
3 files changed, 36 insertions, 5 deletions
diff --git a/ipa-server/ipa-gui/ipa_webgui b/ipa-server/ipa-gui/ipa_webgui index f7780af8e..96558d570 100644 --- a/ipa-server/ipa-gui/ipa_webgui +++ b/ipa-server/ipa-gui/ipa_webgui @@ -17,7 +17,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -import os, sys +import os, sys, pwd, grp from optparse import OptionParser import ipa.config import traceback @@ -119,6 +119,27 @@ def main(): sys.stderr.write("error becoming daemon: " + str(e)) sys.exit(1) + # Drop privileges and write our pid file only if we're running as root + if os.getuid() == 0: + # Write out our pid file + pidfile = open("/var/run/ipa_webgui.pid", "w") + pidfile.write(str(os.getpid())) + pidfile.close() + + # Drop privs + apache_uid = pwd.getpwnam("apache")[2] + apache_gid = grp.getgrnam("apache")[2] + + try: + os.setgid(apache_gid) + except OSError, e: + log.error("Could not set effective group id: %s" % e) + + try: + os.setuid(apache_uid) + except OSError, e: + log.error("Could not set effective user id: %s" % e) + sys.path.append("/usr/share/ipa") # this must be after sys.path is changed to work correctly diff --git a/ipa-server/ipa-gui/ipa_webgui.init b/ipa-server/ipa-gui/ipa_webgui.init index e603f9f2a..42478588f 100644 --- a/ipa-server/ipa-gui/ipa_webgui.init +++ b/ipa-server/ipa-gui/ipa_webgui.init @@ -30,7 +30,7 @@ RUNAS="apache" start() { echo -n $"Starting $NAME: " - daemon --user $RUNAS $PROG + daemon $PROG RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ipa_webgui || \ diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c index ccd17c1f0..0bca8cf35 100644 --- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c +++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c @@ -1110,7 +1110,7 @@ int main(int argc, char *argv[]) /* do not keep any fs busy */ ret = chdir("/"); if (ret == -1) { - syslog(LOG_ERR, "Unable to chage dir to '/'"); + syslog(LOG_ERR, "Unable to change dir to '/'"); exit(-1); } @@ -1126,8 +1126,8 @@ int main(int argc, char *argv[]) /* new session */ setsid(); - /* close std* descriptors */ + /* close std* descriptors */ close(0); close(1); close(2); @@ -1142,7 +1142,7 @@ int main(int argc, char *argv[]) exit(0); } - /* source evn vars */ + /* source env vars */ env = getenv("KRB5_KTNAME"); if (!env) { env = DEFAULT_KEYTAB; @@ -1167,6 +1167,16 @@ int main(int argc, char *argv[]) exit(1); } + /* Write out the pid file after the sigterm handler */ + FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w"); + if (f == NULL) { + syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno)); + exit(1); + } else { + fprintf(f, "%ld\n", (long) getpid()); + fclose(f); + } + tai = ai; nfds = 0; /* we can have a maximum of 4 sockets (IPv4/IPv6(TCP/UDP)) */ |