upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-22 15:49:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add -U and -G options to set user and group id.

Browse source 
Move socket setup to set_socket(), called before the uid/gid change.
This commit is contained in:
Hallvard Furuseth 1999-04-03 03:19:07 +00:00
parent e46877f89f
commit 9ebd9a0289
9 changed files with 232 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
configure vendored
View file

@ -8945,6 +8945,7 @@ for ac_hdr in \
fcntl.h \ fcntl.h \
filio.h \ filio.h \
getopt.h \ getopt.h \
grp.h \
libutil.h \ libutil.h \
limits.h \ limits.h \
locale.h \ locale.h \
@ -10274,8 +10275,11 @@ fi
for ac_func in \ for ac_func in \
bcopy \ bcopy \
endgrent \
endpwent \
flock \ flock \
getdtablesize \ getdtablesize \
getgrgid \
gethostname \ gethostname \
getpass \ getpass \
getpwuid \ getpwuid \

4
configure.in
View file

@ -1634,6 +1634,7 @@ AC_CHECK_HEADERS( \
fcntl.h \ fcntl.h \
filio.h \ filio.h \
getopt.h \ getopt.h \
grp.h \
libutil.h \ libutil.h \
limits.h \ limits.h \
locale.h \ locale.h \
@ -1707,8 +1708,11 @@ fi
AC_CHECK_FUNCS( \ AC_CHECK_FUNCS( \
bcopy \ bcopy \
endgrent \
endpwent \
flock \ flock \
getdtablesize \ getdtablesize \
getgrgid \
gethostname \ gethostname \
getpass \ getpass \
getpwuid \ getpwuid \

18
doc/man/man8/slapd.8
View file

@ -1,10 +1,11 @@
.TH SLAPD 8C "20 January 1999" "OpenLDAP LDVERSION" .TH SLAPD 8C "3 April 1999" "OpenLDAP LDVERSION"
.SH NAME .SH NAME
slapd \- Stand-alone LDAP Daemon slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS .SH SYNOPSIS
.B LIBEXECDIR/slapd [\-d debug\-level] .B LIBEXECDIR/slapd [\-d debug\-level]
.B [\-f slapd\-config\-file] [\-a address] [\-p port\-number] .B [\-f slapd\-config\-file] [\-a address] [\-p port\-number]
.B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i] .B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i]
.B [\-U user] [\-G group]
.B .B
.SH DESCRIPTION .SH DESCRIPTION
.LP .LP
@ -98,12 +99,27 @@ Internet standard '.' format.
will listen on the default LDAP port (389) unless this option is given will listen on the default LDAP port (389) unless this option is given
to override the default. A numeric port number is expected. to override the default. A numeric port number is expected.
.TP .TP
.BI \-U " user"
.B slapd
will run slapd with the specified user name or id, and that user's
supplementary group access list as set with initgroups(3). The group ID
is also changed to this user's gid, unless the -G option is used to
override.
.TP
.BI \-G " group"
.B slapd
will run with the specified group name or id.
.TP
.B \-i .B \-i
This option tells This option tells
.B slapd .B slapd
that it is being run from that it is being run from
.BR inetd(8) , .BR inetd(8) ,
the Internet protocol daemon. the Internet protocol daemon.
.LP
Note that on some systems, running as a non-privileged user will prevent
passwd back-ends from accessing the encrypted passwords. Note also that
any shell back-ends will run as the specified non-privileged user.
.SH EXAMPLES .SH EXAMPLES
To start To start
.I slapd .I slapd

12
include/portable.h.in
View file

@ -213,12 +213,21 @@
/* Define if you have the ctime_r function. */ /* Define if you have the ctime_r function. */
#undef HAVE_CTIME_R #undef HAVE_CTIME_R
/* Define if you have the endgrent function. */
#undef HAVE_ENDGRENT
/* Define if you have the endpwent function. */
#undef HAVE_ENDPWENT
/* Define if you have the flock function. */ /* Define if you have the flock function. */
#undef HAVE_FLOCK #undef HAVE_FLOCK
/* Define if you have the getdtablesize function. */ /* Define if you have the getdtablesize function. */
#undef HAVE_GETDTABLESIZE #undef HAVE_GETDTABLESIZE
/* Define if you have the getgrgid function. */
#undef HAVE_GETGRGID
/* Define if you have the gethostbyaddr_r function. */ /* Define if you have the gethostbyaddr_r function. */
#undef HAVE_GETHOSTBYADDR_R #undef HAVE_GETHOSTBYADDR_R
@ -240,6 +249,9 @@
/* Define if you have the gettimeofday function. */ /* Define if you have the gettimeofday function. */
#undef HAVE_GETTIMEOFDAY #undef HAVE_GETTIMEOFDAY
/* Define if you have the <grp.h> header file. */
#undef HAVE_GRP_H
/* Define if you have the lockf function. */ /* Define if you have the lockf function. */
#undef HAVE_LOCKF #undef HAVE_LOCKF

4
servers/slapd/Makefile.in
View file

@ -8,14 +8,14 @@ SRCS = main.c daemon.c connection.c search.c filter.c add.c charray.c \
attr.c entry.c config.c backend.c result.c operation.c \ attr.c entry.c config.c backend.c result.c operation.c \
dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \ dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \
value.c ava.c bind.c unbind.c abandon.c filterentry.c \ value.c ava.c bind.c unbind.c abandon.c filterentry.c \
phonetic.c acl.c str2filter.c aclparse.c init.c \ phonetic.c acl.c str2filter.c aclparse.c init.c user.c \
repl.c lock.c \ repl.c lock.c \
suffixalias.c schema.c schemaparse.c monitor.c configinfo.c suffixalias.c schema.c schemaparse.c monitor.c configinfo.c
OBJS = main.o daemon.o connection.o search.o filter.o add.o charray.o \ OBJS = main.o daemon.o connection.o search.o filter.o add.o charray.o \
attr.o entry.o config.o backend.o result.o operation.o \ attr.o entry.o config.o backend.o result.o operation.o \
dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \ dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \
value.o ava.o bind.o unbind.o abandon.o filterentry.o \ value.o ava.o bind.o unbind.o abandon.o filterentry.o \
phonetic.o acl.o str2filter.o aclparse.o init.o \ phonetic.o acl.o str2filter.o aclparse.o init.o user.o \
repl.o lock.o \ repl.o lock.o \
suffixalias.o schema.o schemaparse.o monitor.o configinfo.o suffixalias.o schema.o schemaparse.o monitor.o configinfo.o

40
servers/slapd/daemon.c
View file

@ -146,12 +146,9 @@ static void slapd_close(int s) {
tcp_close(s); tcp_close(s);
} }
static void * int
slapd_daemon_task( set_socket( struct sockaddr_in *addr )
void *ptr
)
{ {
struct sockaddr_in *addr = ptr;
int tcps = -1; int tcps = -1;
#ifdef HAVE_SYSCONF #ifdef HAVE_SYSCONF
@ -177,12 +174,6 @@ slapd_daemon_task(
} }
#endif #endif
connections_init();
ldap_pvt_thread_mutex_init( &slap_daemon.sd_mutex );
FD_ZERO( &slap_daemon.sd_readers );
FD_ZERO( &slap_daemon.sd_writers );
if( addr != NULL ) { if( addr != NULL ) {
int tmp; int tmp;
@ -223,7 +214,27 @@ slapd_daemon_task(
? sys_errlist[errno] : "unknown" ); ? sys_errlist[errno] : "unknown" );
exit( 1 ); exit( 1 );
} }
}
return tcps;
}
static void *
slapd_daemon_task(
void *ptr
)
{
int inetd = ((int *)ptr) [0];
int tcps = ((int *)ptr) [1];
free( ptr );
connections_init();
ldap_pvt_thread_mutex_init( &slap_daemon.sd_mutex );
FD_ZERO( &slap_daemon.sd_readers );
FD_ZERO( &slap_daemon.sd_writers );
if( !inetd ) {
if ( listen( tcps, 5 ) == -1 ) { if ( listen( tcps, 5 ) == -1 ) {
Debug( LDAP_DEBUG_ANY, Debug( LDAP_DEBUG_ANY,
"daemon: listen(%d, 5) failed errno %d (%s)\n", "daemon: listen(%d, 5) failed errno %d (%s)\n",
@ -569,12 +580,15 @@ slapd_daemon_task(
return NULL; return NULL;
} }
int slapd_daemon( struct sockaddr_in *addr ) int slapd_daemon( int inetd, int tcps )
{ {
int status; int status;
int *args = ch_malloc( sizeof( int[2] ) );
args[0] = inetd;
args[1] = tcps;
status = ldap_pvt_thread_create( &listener_tid, 0, status = ldap_pvt_thread_create( &listener_tid, 0,
slapd_daemon_task, addr ); slapd_daemon_task, args );
if ( status != 0 ) { if ( status != 0 ) {
Debug( LDAP_DEBUG_ANY, Debug( LDAP_DEBUG_ANY,

36
servers/slapd/main.c
View file

@ -63,6 +63,9 @@ usage( char *name )
#endif #endif
#ifdef LOG_LOCAL4 #ifdef LOG_LOCAL4
fprintf( stderr, " [-l sysloguser]" ); fprintf( stderr, " [-l sysloguser]" );
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
fprintf( stderr, " [-U user] [-G group]" );
#endif #endif
fprintf( stderr, "\n" ); fprintf( stderr, "\n" );
} }
@ -75,10 +78,14 @@ main( int argc, char **argv )
int i; int i;
int inetd = 0; int inetd = 0;
int rc; int rc;
struct sockaddr_in bind_addr, *slapd_addr; struct sockaddr_in bind_addr;
int tcps;
int udp; int udp;
#ifdef LOG_LOCAL4 #ifdef LOG_LOCAL4
int syslogUser = DEFAULT_SYSLOG_USER; int syslogUser = DEFAULT_SYSLOG_USER;
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
char *username = NULL, *groupname = NULL;
#endif #endif
char *configfile; char *configfile;
char *serverName; char *serverName;
@ -101,6 +108,9 @@ main( int argc, char **argv )
#endif #endif
#ifdef SLAPD_BDB2 #ifdef SLAPD_BDB2
"t" "t"
#endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
"U:G:"
#endif #endif
)) != EOF ) { )) != EOF ) {
switch ( i ) { switch ( i ) {
@ -195,6 +205,16 @@ main( int argc, char **argv )
break; break;
#endif #endif
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
case 'U': /* user name */
username = ch_strdup( optarg );
break;
case 'G': /* group name */
groupname = ch_strdup( optarg );
break;
#endif /* HAVE_PWD_H && HAVE_GRP_H */
default: default:
usage( argv[0] ); usage( argv[0] );
exit( 1 ); exit( 1 );
@ -219,6 +239,13 @@ main( int argc, char **argv )
openlog( serverName, OPENLOG_OPTIONS ); openlog( serverName, OPENLOG_OPTIONS );
#endif #endif
tcps = set_socket( inetd ? NULL : &bind_addr );
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
if ( username != NULL || groupname != NULL )
slap_init_user( username, groupname );
#endif
if ( slap_init( serverMode, serverName ) != 0 ) { if ( slap_init( serverMode, serverName ) != 0 ) {
rc = 1; rc = 1;
goto destroy; goto destroy;
@ -261,8 +288,6 @@ main( int argc, char **argv )
if(!inetd) { if(!inetd) {
FILE *fp; FILE *fp;
slapd_addr = &bind_addr;
Debug( LDAP_DEBUG_ANY, "slapd starting\n", 0, 0, 0 ); Debug( LDAP_DEBUG_ANY, "slapd starting\n", 0, 0, 0 );
if (( slapd_pid_file != NULL ) && if (( slapd_pid_file != NULL ) &&
@ -281,14 +306,11 @@ main( int argc, char **argv )
fprintf( fp, "\n" ); fprintf( fp, "\n" );
fclose( fp ); fclose( fp );
} }
} else {
slapd_addr = NULL;
} }
time( &starttime ); time( &starttime );
rc = slapd_daemon( slapd_addr ); rc = slapd_daemon( inetd, tcps );
shutdown: shutdown:
/* remember an error during shutdown */ /* remember an error during shutdown */

10
servers/slapd/proto-slap.h
View file

@ -256,6 +256,13 @@ int value_find LDAP_P(( struct berval **vals, struct berval *v, int syntax,
*/ */
char *suffixAlias LDAP_P(( char *dn, Operation *op, Backend *be )); char *suffixAlias LDAP_P(( char *dn, Operation *op, Backend *be ));
/*
* user.c
*/
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
void slap_init_user LDAP_P(( char *username, char *groupname ));
#endif
/* /*
* Other... * Other...
*/ */
@ -308,7 +315,8 @@ extern int slap_shutdown LDAP_P((int dbnum));
extern int slap_destroy LDAP_P((void)); extern int slap_destroy LDAP_P((void));
struct sockaddr_in; struct sockaddr_in;
extern int slapd_daemon LDAP_P((struct sockaddr_in *addr)); extern int set_socket LDAP_P((struct sockaddr_in *addr));
extern int slapd_daemon LDAP_P((int inetd, int tcps));
extern void slapd_set_write LDAP_P((int s, int wake)); extern void slapd_set_write LDAP_P((int s, int wake));
extern void slapd_clr_write LDAP_P((int s, int wake)); extern void slapd_clr_write LDAP_P((int s, int wake));

128
servers/slapd/user.c Normal file
View file

@ -0,0 +1,128 @@
/* user.c - set user id, group id and group access list
*
* Copyright 1999 by PM Lashley and The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only
* as authorized by the OpenLDAP Public License. A copy of this
* license is available at http://www.OpenLDAP.org/license.html or
* in file LICENSE in the top-level directory of the distribution.
*/
#include "portable.h"
#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <grp.h>
#include <ac/ctype.h>
#include <ac/unistd.h>
#include "slap.h"
/*
* Set real and effective user id and group id, and group access list
*/
void
slap_init_user( char *user, char *group )
{
uid_t uid = (gid_t) -1;
gid_t gid = (gid_t) -1;
if ( user ) {
struct passwd *pwd;
if ( isdigit( (unsigned char) *user )) {
uid = atoi( user );
#ifdef HAVE_GETPWUID
pwd = getpwuid( uid );
goto did_getpw;
#endif
} else {
pwd = getpwnam( user );
did_getpw:
if ( pwd == NULL ) {
Debug( LDAP_DEBUG_ANY, "No passwd entry for user %s\n",
user, 0, 0 );
exit( 1 );
}
if ( uid >= 0 ) {
free( user );
user = (pwd != NULL ? ch_strdup( pwd->pw_name ) : NULL);
} else {
uid = pwd->pw_uid;
}
gid = pwd->pw_gid;
#ifdef HAVE_ENDPWENT
endpwent();
#endif
}
}
if ( group ) {
struct group *grp;
if ( isdigit( (unsigned char) *group )) {
gid = atoi( group );
#ifdef HAVE_GETGRGID
grp = getgrgid( gid );
goto did_group;
#endif
} else {
grp = getgrnam( group );
if ( grp != NULL )
gid = grp->gr_gid;
did_group:
if ( grp == NULL ) {
Debug( LDAP_DEBUG_ANY, "No group entry for group %s\n",
group, 0, 0 );
exit( 1 );
}
}
free( group );
}
if ( user ) {
if ( getuid() == 0 && initgroups( user, gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"Could not set the group access (gid) list\n", 0, 0, 0 );
exit( 1 );
}
free( user );
}
#ifdef HAVE_ENDGRENT
endgrent();
#endif
if ( gid >= 0 ) {
if ( setgid( gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set real group id to %d\n",
gid, 0, 0 );
exit( 1 );
}
if ( setegid( gid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n",
gid, 0, 0 );
exit( 1 );
}
}
if ( uid >= 0 ) {
if ( setuid( uid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set effective user id to %d\n",
uid, 0, 0 );
exit( 1 );
}
if ( seteuid( uid ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n",
uid, 0, 0 );
exit( 1 );
}
}
}
#endif /* HAVE_PWD_H && HAVE_GRP_H */