diff --git a/config.h.in b/config.h.in index 268ce1917..f3b24a448 100644 --- a/config.h.in +++ b/config.h.in @@ -136,6 +136,18 @@ /* Define to 1 if you have the `sendmsg' function. */ #undef HAVE_SENDMSG +/* Define to 1 if you have the `setregid' function. */ +#undef HAVE_SETREGID + +/* Define to 1 if you have the `setresgid' function. */ +#undef HAVE_SETRESGID + +/* Define to 1 if you have the `setresuid' function. */ +#undef HAVE_SETRESUID + +/* Define to 1 if you have the `setreuid' function. */ +#undef HAVE_SETREUID + /* Define to 1 if you have the `setsid' function. */ #undef HAVE_SETSID diff --git a/configure b/configure index e1f1971bb..c6cdeaf2e 100755 --- a/configure +++ b/configure @@ -24000,13 +24000,11 @@ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include /* for off_t */ - #include +#include int main () { -int (*fp) (FILE *, off_t, int) = fseeko; - return fseeko (stdin, 0, 0) && fp (stdin, 0, 0); +return fseeko (stdin, 0, 0) && (fseeko) (stdin, 0, 0); ; return 0; } @@ -24046,13 +24044,11 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #define _LARGEFILE_SOURCE 1 -#include /* for off_t */ - #include +#include int main () { -int (*fp) (FILE *, off_t, int) = fseeko; - return fseeko (stdin, 0, 0) && fp (stdin, 0, 0); +return fseeko (stdin, 0, 0) && (fseeko) (stdin, 0, 0); ; return 0; } @@ -24666,7 +24662,11 @@ fi -for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev + + + + +for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 diff --git a/configure.ac b/configure.ac index 6fd28978e..676c96cf6 100644 --- a/configure.ac +++ b/configure.ac @@ -781,7 +781,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES if test $ac_cv_func_getaddrinfo = no; then AC_LIBOBJ([fake-rfc2553]) fi -AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev]) +AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid]) # check mkdir AC_MSG_CHECKING([whether mkdir has one arg]) diff --git a/daemon/unbound.c b/daemon/unbound.c index 8720a7261..d8eef1d8a 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -374,10 +374,22 @@ do_chroot(struct daemon* daemon, struct config_file* cfg, int debug_mode, } #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { +#ifdef HAVE_SETRESGID + if(setresgid(gid,gid,gid) != 0) +#elif defined(HAVE_SETREGID) + if(setregid(gid,gid) != 0) +#else /* use setgid */ if(setgid(gid) != 0) +#endif /* HAVE_SETRESGID */ fatal_exit("unable to set group id of %s: %s", cfg->username, strerror(errno)); +#ifdef HAVE_SETRESUID + if(setresuid(uid,uid,uid) != 0) +#elif defined(HAVE_SETREUID) + if(setreuid(uid,uid) != 0) +#else /* use setuid */ if(setuid(uid) != 0) +#endif /* HAVE_SETRESUID */ fatal_exit("unable to set user id of %s: %s", cfg->username, strerror(errno)); verbose(VERB_QUERY, "drop user privileges, run as %s", diff --git a/doc/Changelog b/doc/Changelog index 4f866d612..e6aeb864e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -4,6 +4,7 @@ - test for DLV used for a zone below a trustanchor. - added scrub filter for overreaching NSEC records and unit test. - iana portlist update + - use of setresuid or setreuid when available. 25 August 2008: Wouter - realclean patch from Robert Edmonds.