1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
|
Author: Simon Burnet
Subject: Adding maradns_user to mararc
Forwarded: no
Last-update: 2014-03-04
--- a/parse/ParseMaraRc.c
+++ b/parse/ParseMaraRc.c
@@ -31,7 +31,7 @@
/* Keywords that are non-dictionary strings in Mara's rc file */
-#define KEYCOUNT 55
+#define KEYCOUNT 56
char *keywords[KEYCOUNT] = {
"bind_address", /* IPv4 Addresses to bind to (old name) */
@@ -52,8 +52,10 @@
changes MaraDNS' behavior as an authoritative
nameserver */
"hide_disclaimer", /* Whether to hide the disclaimer */
- "maradns_uid", /* UID that MaraDNS will run as */
+ "maradns_uid", /* UID that MaraDNS will run as (optional - must be
+ provided if maradns_user is not) */
"maradns_gid", /* GID that MaraDNS will run as (optional) */
+ "maradns_user", /* The user and group which MaraDNS will switch to */
"max_ar_chain", /* Maximum number of records in a chain of
records in the AR section. Note: This has
to be one or round-robin rotates are disabled */
--- a/server/MaraDNS.c
+++ b/server/MaraDNS.c
@@ -34,7 +34,7 @@
#include <string.h>
#include <time.h>
#ifndef MINGW32
-#include <grp.h>
+#include <pwd.h>
#endif
#include <fcntl.h>
#ifdef __FreeBSD__
@@ -3697,11 +3697,11 @@
*ipv4_bind_address = 0, *incoming = 0,
*uncomp = 0, *verbstr = 0;
#ifndef MINGW32
- unsigned char chroot_zt[255];
+ unsigned char stringbuffer_zt[255];
#ifndef __CYGWIN__
- uid_t uid;
+ uid_t uid = 0;
#endif
- gid_t gid;
+ gid_t gid = 0;
#endif
int errorn, value, maxprocs, counter;
int sock[514];
@@ -4223,7 +4223,26 @@
debug_msg_level = read_numeric_kvar("debug_msg_level",1);
#ifndef MINGW32
- /* Determine if we are root */
+ /* Get the uid and gid now, because we won't be able to do it once we're chrooted */
+ if (verbstr != 0) { js_destroy(verbstr); verbstr = 0; }
+ verbstr = read_string_kvar("maradns_user");
+ if (verbstr != 0 && js_length(verbstr) > 0) {
+ struct passwd * pwd = NULL;
+ if (js_js2str(verbstr,(char *)stringbuffer_zt,200) == JS_ERROR)
+ harderror(L_BADUSER);
+ errno=0;
+ if ((pwd = getpwnam((char *)stringbuffer_zt)) == NULL) {
+ printf("Error setting uid and gid to that of '%s'. Error from getpwnam() was %d.\n", (char*)stringbuffer_zt, errno);
+ exit(1);
+ }
+#ifndef __CYGWIN__
+ uid = pwd->pw_uid;
+#endif
+ gid = pwd->pw_gid;
+ }
+ if (verbstr != 0) { js_destroy(verbstr); verbstr = 0; }
+
+ /* Determine if we are root */
#ifndef __CYGWIN__
if(geteuid() == 0) {
#endif
@@ -4235,12 +4254,12 @@
}
if(js_length(verbstr) <= 0)
harderror(L_CHROOT_KVAR); /* "Problem getting chroot kvar.\nYou must have chroot_dir set if you start this as root" */
- if(js_js2str(verbstr,(char *)chroot_zt,200) == JS_ERROR)
+ if(js_js2str(verbstr,(char *)stringbuffer_zt,200) == JS_ERROR)
harderror(L_CHROOT_NT); /* "Problem making chroot nt string.\nMake sure the chroot directory is 200 chars or less" */
- if(chdir((char *)chroot_zt) != 0)
+ if(chdir((char *)stringbuffer_zt) != 0)
sys_harderror(L_CHROOT_CHANGE); /* "Problem changing to chroot dir.\nMake sure chroot_dir points to a valid directory" */
#if ! (defined __CYGWIN__ || defined QNX)
- if(chroot((char *)chroot_zt) != 0)
+ if(chroot((char *)stringbuffer_zt) != 0)
sys_harderror(L_CHROOT_DO); /* "Problem changing the root directory." */
#endif
@@ -4339,7 +4358,9 @@
#ifndef MINGW32
/* Drop the elevated privileges */
/* First, change the GID */
- gid = read_numeric_kvar("maradns_gid",MARADNS_DEFAULT_GID);
+
+ if (gid == 0)
+ gid = read_numeric_kvar("maradns_gid",MARADNS_DEFAULT_GID);
#ifndef __CYGWIN__
/* Drop all supplemental groups */
setgroups(1,&gid);
@@ -4349,7 +4370,9 @@
#ifndef __CYGWIN__
/* Next, change the UID */
- uid = read_numeric_kvar("maradns_uid",MARADNS_DEFAULT_UID);
+ if (uid == 0)
+ uid = read_numeric_kvar("maradns_uid",MARADNS_DEFAULT_UID);
+
if(uid < 10)
harderror(L_BADUID); /* "maradns_uid is less than 10 or not a number.\nThis uid must have a value of 10 or more" */
if(setuid(uid) != 0)
--- a/server/MaraDNS_en.h
+++ b/server/MaraDNS_en.h
@@ -77,3 +77,5 @@
#define L_INVALID_TIMEOUT "timeout_seconds needs to be a number, and be greater than zero"
#define L_TIMESTAMP "Timestamp: "
#define L_COMPRESS_ERROR "Compression error: "
+#define L_BADUSER "Could not parse maradns_user. Perhaps the string is too long?"
+
|