File: 40_improve-daemon-security.patch

package info (click to toggle)
tcpspy 1.7d-17
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 364 kB
  • sloc: ansic: 3,318; lex: 467; yacc: 204; makefile: 54; sh: 42
file content (82 lines) | stat: -rw-r--r-- 2,077 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
Description: Improve security in daemonised execution.
 Ignore signals irrelevant to a long living daemon
 which was crafted with orderly shutdown.
 .
 Replace standard file descriptors with a tie to "/dev/null".
 .
 Yield controlling terminal properly by seting session ID.
Author: Mats Erik Andersson <debian@gisladisker.se>
Forwarded: no
Last-Update: 2011-03-08
Index: tcpspy-1.7d/tcpspy.c
===================================================================
--- tcpspy-1.7d.orig/tcpspy.c
+++ tcpspy-1.7d/tcpspy.c
@@ -54,8 +54,10 @@
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#include <sys/stat.h>	/* umask() */
+#include <fcntl.h>	/* open /dev/null */
 #include <unistd.h>
-
+#include <paths.h>	/* _PATH_DEVNULL */
 #include "log.h"
 #include "rcsid.h"
 #include "rule.h"
@@ -656,6 +658,15 @@ int main (int argc, char *argv[])
 
 	if (debug == 0) {
 		pid_t p;
+		int nullfd;
+
+		/* Hinder early disturbance generated by terminal. */
+		signal (SIGHUP,  SIG_IGN);
+		signal (SIGINT,  SIG_IGN);
+		signal (SIGQUIT, SIG_IGN);
+		signal (SIGTSTP, SIG_IGN);
+		signal (SIGUSR1, SIG_IGN);
+		signal (SIGUSR2, SIG_IGN);
 
 		/* 1st fork */
 		p = fork();
@@ -666,6 +677,13 @@ int main (int argc, char *argv[])
 		} else if (p != 0)
 			exit (0);
 
+		/* Give up controlling terminal */
+		if (setsid () < 0) {
+			fprintf (stderr, "tcpspy: setsid: %s\n",
+					strerror (errno));
+			exit (EXIT_FAILURE);
+		}
+
 		/* 2nd fork */
 		p = fork();
 		if (p < 0) {
@@ -679,11 +697,22 @@ int main (int argc, char *argv[])
 		}
 
 		ioctl (STDIN_FILENO, TIOCNOTTY, NULL);
-		close (STDIN_FILENO); 
-		close (STDOUT_FILENO); 
-		close (STDERR_FILENO);
+
+		nullfd = open (_PATH_DEVNULL, O_RDWR, 0);
+		if (nullfd < 0) {
+			fprintf (stderr, "tcpspy: cannot open %s\n",
+					_PATH_DEVNULL);
+			exit (EXIT_FAILURE);
+		}
+
+		dup2 (nullfd, STDIN_FILENO);
+		dup2 (nullfd, STDOUT_FILENO);
+		dup2 (nullfd, STDERR_FILENO);
+		close (nullfd);
+
 		setpgid (0, 0);
 		chdir ("/");
+		umask (0);
 	} else
 		fprintf (stderr, "tcpspy 1.7d started (debug)\n");