upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 16:49:39 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Modify slapd set user/group support to use -u/-g instead -U/-G.

Browse source 
Moved -u (udp) to -c (connectionless).  Connectionless is depreciated
and undocumented.
Added tests for set{,e}{u,g}id to configure.  Use existance of
setuid/setgid to enable feature.  Use seteuid/setegid only if
they exist.
Fixed minor minor leak of username/groupname if specificied
more than once.  (This should actually be an error)
This commit is contained in:
Kurt Zeilenga 1999-04-21 00:40:20 +00:00
parent 82348ef0d0
commit 7ba980f0f6
7 changed files with 85 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
INSTALL
View file

@ -47,12 +47,7 @@ these steps:
See the 'USING ENVIRONMENT VARIABLES' section for information See the 'USING ENVIRONMENT VARIABLES' section for information
on how to use the variables. on how to use the variables.
3. edit the file include/ldapconfig.h.edit to configure 3. Configure the build system
the software for your site (the files are well-commented):
% vi include/ldapconfig.h.edit
4. Configure the build system
% [env settings] ./configure [options] % [env settings] ./configure [options]
@ -60,6 +55,11 @@ these steps:
appropriate settings. Use configure enable/with options and/or appropriate settings. Use configure enable/with options and/or
environment variables to obtain desired results. environment variables to obtain desired results.
4. Review the file include/ldapconfig.h.edit.
You generally do not need to modify this file.
% vi include/ldapconfig.h.edit
5. Build dependencies 5. Build dependencies
% make depend % make depend

39
configure vendored
View file

@ -10808,12 +10808,13 @@ for ac_func in \
endgrent \ endgrent \
endpwent \ endpwent \
flock \ flock \
getdtablesize \ getdtablesize \
getgrgid \ getgrgid \
gethostname \ gethostname \
getpass \ getpass \
getpwuid \ getpwuid \
gettimeofday \ gettimeofday \
initgroups \
lockf \ lockf \
memcpy \ memcpy \
memmove \ memmove \
@ -10821,7 +10822,11 @@ for ac_func in \
recv \ recv \
recvfrom \ recvfrom \
setpwfile \ setpwfile \
setgid \
setegid \
setsid \ setsid \
setuid \
seteuid \
signal \ signal \
sigset \ sigset \
snprintf \ snprintf \
@ -10840,12 +10845,12 @@ for ac_func in \
do do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:10844: checking for $ac_func" >&5 echo "configure:10849: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6 echo $ac_n "(cached) $ac_c" 1>&6
else else
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10849 "configure" #line 10854 "configure"
#include "confdefs.h" #include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes, /* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */ which can conflict with char $ac_func(); below. */
@ -10868,7 +10873,7 @@ $ac_func();
; return 0; } ; return 0; }
EOF EOF
if { (eval echo configure:10872: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then if { (eval echo configure:10877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest* rm -rf conftest*
eval "ac_cv_func_$ac_func=yes" eval "ac_cv_func_$ac_func=yes"
else else
@ -10896,12 +10901,12 @@ done
for ac_func in getopt tempnam for ac_func in getopt tempnam
do do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:10900: checking for $ac_func" >&5 echo "configure:10905: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6 echo $ac_n "(cached) $ac_c" 1>&6
else else
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10905 "configure" #line 10910 "configure"
#include "confdefs.h" #include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes, /* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */ which can conflict with char $ac_func(); below. */
@ -10924,7 +10929,7 @@ $ac_func();
; return 0; } ; return 0; }
EOF EOF
if { (eval echo configure:10928: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then if { (eval echo configure:10933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest* rm -rf conftest*
eval "ac_cv_func_$ac_func=yes" eval "ac_cv_func_$ac_func=yes"
else else
@ -10954,13 +10959,13 @@ done
# Check Configuration # Check Configuration
echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6 echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6
echo "configure:10958: checking declaration of sys_errlist" >&5 echo "configure:10963: checking declaration of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6 echo $ac_n "(cached) $ac_c" 1>&6
else else
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10964 "configure" #line 10969 "configure"
#include "confdefs.h" #include "confdefs.h"
#include <stdio.h> #include <stdio.h>
@ -10970,7 +10975,7 @@ int main() {
char *c = (char *) *sys_errlist char *c = (char *) *sys_errlist
; return 0; } ; return 0; }
EOF EOF
if { (eval echo configure:10974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then if { (eval echo configure:10979: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest* rm -rf conftest*
ol_cv_dcl_sys_errlist=yes ol_cv_dcl_sys_errlist=yes
else else
@ -10990,20 +10995,20 @@ if test $ol_cv_dcl_sys_errlist = no ; then
EOF EOF
echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6 echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6
echo "configure:10994: checking existence of sys_errlist" >&5 echo "configure:10999: checking existence of sys_errlist" >&5
if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6 echo $ac_n "(cached) $ac_c" 1>&6
else else
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 11000 "configure" #line 11005 "configure"
#include "confdefs.h" #include "confdefs.h"
#include <errno.h> #include <errno.h>
int main() { int main() {
char *c = (char *) *sys_errlist char *c = (char *) *sys_errlist
; return 0; } ; return 0; }
EOF EOF
if { (eval echo configure:11007: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then if { (eval echo configure:11012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest* rm -rf conftest*
ol_cv_have_sys_errlist=yes ol_cv_have_sys_errlist=yes
else else
@ -11027,13 +11032,13 @@ fi
echo $ac_n "checking strdup declaration""... $ac_c" 1>&6 echo $ac_n "checking strdup declaration""... $ac_c" 1>&6
echo "configure:11031: checking strdup declaration" >&5 echo "configure:11036: checking strdup declaration" >&5
if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6 echo $ac_n "(cached) $ac_c" 1>&6
else else
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 11037 "configure" #line 11042 "configure"
#include "confdefs.h" #include "confdefs.h"
#include <string.h> #include <string.h>
@ -11041,7 +11046,7 @@ int main() {
extern char *strdup(); extern char *strdup();
; return 0; } ; return 0; }
EOF EOF
if { (eval echo configure:11045: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then if { (eval echo configure:11050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest* rm -rf conftest*
ol_cv_dcl_strdup=yes ol_cv_dcl_strdup=yes
else else

9
configure.in
View file

@ -1541,12 +1541,13 @@ AC_CHECK_FUNCS( \
endgrent \ endgrent \
endpwent \ endpwent \
flock \ flock \
getdtablesize \ getdtablesize \
getgrgid \ getgrgid \
gethostname \ gethostname \
getpass \ getpass \
getpwuid \ getpwuid \
gettimeofday \ gettimeofday \
initgroups \
lockf \ lockf \
memcpy \ memcpy \
memmove \ memmove \
@ -1554,7 +1555,11 @@ AC_CHECK_FUNCS( \
recv \ recv \
recvfrom \ recvfrom \
setpwfile \ setpwfile \
setgid \
setegid \
setsid \ setsid \
setuid \
seteuid \
signal \ signal \
sigset \ sigset \
snprintf \ snprintf \

8
doc/man/man8/slapd.8
View file

@ -5,7 +5,7 @@ slapd \- Stand-alone LDAP Daemon
.B LIBEXECDIR/slapd [\-d debug\-level] .B LIBEXECDIR/slapd [\-d debug\-level]
.B [\-f slapd\-config\-file] [\-a address] [\-p port\-number] .B [\-f slapd\-config\-file] [\-a address] [\-p port\-number]
.B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i] .B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i]
.B [\-U user] [\-G group] .B [\-u user] [\-g group]
.B .B
.SH DESCRIPTION .SH DESCRIPTION
.LP .LP
@ -99,14 +99,14 @@ Internet standard '.' format.
will listen on the default LDAP port (389) unless this option is given will listen on the default LDAP port (389) unless this option is given
to override the default. A numeric port number is expected. to override the default. A numeric port number is expected.
.TP .TP
.BI \-U " user" .BI \-u " user"
.B slapd .B slapd
will run slapd with the specified user name or id, and that user's will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID supplementary group access list as set with initgroups(3). The group ID
is also changed to this user's gid, unless the -G option is used to is also changed to this user's gid, unless the -g option is used to
override. override.
.TP .TP
.BI \-G " group" .BI \-g " group"
.B slapd .B slapd
will run with the specified group name or id. will run with the specified group name or id.
.TP .TP

15
include/portable.h.in
View file

@ -261,6 +261,9 @@
/* Define if you have the gettimeofday function. */ /* Define if you have the gettimeofday function. */
#undef HAVE_GETTIMEOFDAY #undef HAVE_GETTIMEOFDAY
/* Define if you have the initgroups function. */
#undef HAVE_INITGROUPS
/* Define if you have the lockf function. */ /* Define if you have the lockf function. */
#undef HAVE_LOCKF #undef HAVE_LOCKF
@ -297,12 +300,24 @@
/* Define if you have the sched_yield function. */ /* Define if you have the sched_yield function. */
#undef HAVE_SCHED_YIELD #undef HAVE_SCHED_YIELD
/* Define if you have the setegid function. */
#undef HAVE_SETEGID
/* Define if you have the seteuid function. */
#undef HAVE_SETEUID
/* Define if you have the setgid function. */
#undef HAVE_SETGID
/* Define if you have the setpwfile function. */ /* Define if you have the setpwfile function. */
#undef HAVE_SETPWFILE #undef HAVE_SETPWFILE
/* Define if you have the setsid function. */ /* Define if you have the setsid function. */
#undef HAVE_SETSID #undef HAVE_SETSID
/* Define if you have the setuid function. */
#undef HAVE_SETUID
/* Define if you have the signal function. */ /* Define if you have the signal function. */
#undef HAVE_SIGNAL #undef HAVE_SIGNAL

33
servers/slapd/main.c
View file

@ -57,15 +57,18 @@ static void
usage( char *name ) usage( char *name )
{ {
fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name ); fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name );
fprintf( stderr, "\n [-a bind-address] [-i] [-u]" ); fprintf( stderr, "\n [-a bind-address] [-i]" );
#if LDAP_CONNECTIONLESS
fprintf( stderr, " [-c]" );
#endif
#ifdef SLAPD_BDB2 #ifdef SLAPD_BDB2
fprintf( stderr, " [-t]" ); fprintf( stderr, " [-t]" );
#endif #endif
#ifdef LOG_LOCAL4 #ifdef LOG_LOCAL4
fprintf( stderr, " [-l sysloguser]" ); fprintf( stderr, " [-l sysloguser]" );
#endif #endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
fprintf( stderr, " [-U user] [-G group]" ); fprintf( stderr, " [-u user] [-g group]" );
#endif #endif
fprintf( stderr, "\n" ); fprintf( stderr, "\n" );
} }
@ -84,7 +87,7 @@ main( int argc, char **argv )
#ifdef LOG_LOCAL4 #ifdef LOG_LOCAL4
int syslogUser = DEFAULT_SYSLOG_USER; int syslogUser = DEFAULT_SYSLOG_USER;
#endif #endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
char *username = NULL, *groupname = NULL; char *username = NULL, *groupname = NULL;
#endif #endif
char *configfile; char *configfile;
@ -102,15 +105,15 @@ main( int argc, char **argv )
g_argv = argv; g_argv = argv;
while ( (i = getopt( argc, argv, while ( (i = getopt( argc, argv,
"d:f:ia:p:s:u" "d:f:ia:p:s:c"
#ifdef LOG_LOCAL4 #ifdef LOG_LOCAL4
"l:" "l:"
#endif #endif
#ifdef SLAPD_BDB2 #ifdef SLAPD_BDB2
"t" "t"
#endif #endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
"U:G:" "u:g:"
#endif #endif
)) != EOF ) { )) != EOF ) {
switch ( i ) { switch ( i ) {
@ -195,9 +198,11 @@ main( int argc, char **argv )
break; break;
#endif #endif
case 'u': /* do udp */ #ifdef LDAP_CONNECTIONLESS
case 'c': /* do connectionless (udp) */
udp = 1; udp = 1;
break; break;
#endif
#ifdef SLAPD_BDB2 #ifdef SLAPD_BDB2
case 't': /* timed server */ case 't': /* timed server */
@ -205,15 +210,17 @@ main( int argc, char **argv )
break; break;
#endif #endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_GETUID)
case 'U': /* user name */ case 'u': /* user name */
if( username ) free(username);
username = ch_strdup( optarg ); username = ch_strdup( optarg );
break; break;
case 'G': /* group name */ case 'g': /* group name */
if( groupname ) free(groupname);
groupname = ch_strdup( optarg ); groupname = ch_strdup( optarg );
break; break;
#endif /* HAVE_PWD_H && HAVE_GRP_H */ #endif /* SETUID && GETUID */
default: default:
usage( argv[0] ); usage( argv[0] );
@ -241,7 +248,7 @@ main( int argc, char **argv )
tcps = set_socket( inetd ? NULL : &bind_addr ); tcps = set_socket( inetd ? NULL : &bind_addr );
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
if ( username != NULL || groupname != NULL ) if ( username != NULL || groupname != NULL )
slap_init_user( username, groupname ); slap_init_user( username, groupname );
#endif #endif

13
servers/slapd/user.c
View file

@ -11,12 +11,17 @@
#include "portable.h" #include "portable.h"
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#ifdef HAVE_PWD_H
#include <pwd.h> #include <pwd.h>
#endif
#ifdef HAVE_GRP_H
#include <grp.h> #include <grp.h>
#endif
#include <ac/ctype.h> #include <ac/ctype.h>
#include <ac/unistd.h> #include <ac/unistd.h>
@ -31,7 +36,7 @@
void void
slap_init_user( char *user, char *group ) slap_init_user( char *user, char *group )
{ {
uid_t uid = (gid_t) -1; uid_t uid = (uid_t) -1;
gid_t gid = (gid_t) -1; gid_t gid = (gid_t) -1;
if ( user ) { if ( user ) {
@ -104,11 +109,13 @@ slap_init_user( char *user, char *group )
gid, 0, 0 ); gid, 0, 0 );
exit( 1 ); exit( 1 );
} }
#ifdef HAVE_SETEGID
if ( setegid( gid ) != 0 ) { if ( setegid( gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n", Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
gid, 0, 0 ); gid, 0, 0 );
exit( 1 ); exit( 1 );
} }
#endif
} }
if ( uid >= 0 ) { if ( uid >= 0 ) {
@ -117,11 +124,13 @@ slap_init_user( char *user, char *group )
uid, 0, 0 ); uid, 0, 0 );
exit( 1 ); exit( 1 );
} }
#ifdef HAVE_SETEUID
if ( seteuid( uid ) != 0 ) { if ( seteuid( uid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n", Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
uid, 0, 0 ); uid, 0, 0 );
exit( 1 ); exit( 1 );
} }
#endif
} }
} }