diff options
author | Simo Sorce <simo@redhat.com> | 2013-12-22 16:13:56 -0500 |
---|---|---|
committer | Günther Deschner <gdeschner@redhat.com> | 2014-01-14 16:07:27 +0100 |
commit | a14cb37d199fec9227f668fe107bf38f99b8b842 (patch) | |
tree | 87846966a6820a6c109e856d7185f490f81ffd01 /proxy/src/gp_init.c | |
parent | 8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 (diff) | |
download | gss-proxy-a14cb37d199fec9227f668fe107bf38f99b8b842.tar.gz gss-proxy-a14cb37d199fec9227f668fe107bf38f99b8b842.tar.xz gss-proxy-a14cb37d199fec9227f668fe107bf38f99b8b842.zip |
Add support for dropping privileges
If the 'proxy user' configuation option is set in the [gssproxy] section then
GSS Proxy will drop privileges to the specified after setting up all the
sockets.
Care must be taken to make sure all the resources the daemon need access to
(keytabs, ccache directories, etc..) are accessible as the proxy user.
Implements: https://fedorahosted.org/gss-proxy/ticket/102
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Diffstat (limited to 'proxy/src/gp_init.c')
-rw-r--r-- | proxy/src/gp_init.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/proxy/src/gp_init.c b/proxy/src/gp_init.c index 7e29c59..830ae16 100644 --- a/proxy/src/gp_init.c +++ b/proxy/src/gp_init.c @@ -33,6 +33,8 @@ #include <string.h> #include <unistd.h> #include <stdio.h> +#include <pwd.h> +#include <grp.h> #include "gp_proxy.h" void init_server(bool daemonize) @@ -207,3 +209,47 @@ void write_pid(void) GP_PID_FILE, ret, gp_strerror(ret)); } } + +int drop_privs(struct gp_config *cfg) +{ + char buf[2048]; + struct passwd *pw, pws; + int ret; + + if (cfg->proxy_user == NULL) { + /* not dropping privs */ + return 0; + } + + ret = getpwnam_r(cfg->proxy_user, &pws, buf, 2048, &pw); + if (ret) { + GPDEBUG("Failed to look up proxy user: '%s'! [%d:%s]\n", + cfg->proxy_user, ret, gp_strerror(ret)); + return ret; + } + + ret = initgroups(pw->pw_name, pw->pw_gid); + if (ret) { + GPDEBUG("Failed to set access credentials: [%d:%s]\n", + ret, gp_strerror(ret)); + return ret; + } + + ret = setgid(pw->pw_gid); + if (ret == -1) { + ret = errno; + GPDEBUG("Failed to set group id to %d: [%d:%s]\n", + pw->pw_gid, ret, gp_strerror(ret)); + return ret; + } + + ret = setuid(pw->pw_uid); + if (ret == -1) { + ret = errno; + GPDEBUG("Failed to set user id to %d: [%d:%s]\n", + pw->pw_uid, ret, gp_strerror(ret)); + return ret; + } + + return 0; +} |