From dmitri@opay.ru  Mon Jan 29 18:36:38 2007
Return-Path: <dmitri@opay.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8777B16A400
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Jan 2007 18:36:38 +0000 (UTC)
	(envelope-from dmitri@opay.ru)
Received: from opay.ru (opay.ru [81.19.78.124])
	by mx1.freebsd.org (Postfix) with ESMTP id 08B2413C4B4
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Jan 2007 18:36:38 +0000 (UTC)
	(envelope-from dmitri@opay.ru)
Received: by opay.ru (Postfix, from userid 1001)
	id A2ACA1EA615; Mon, 29 Jan 2007 21:13:23 +0300 (MSK)
Message-Id: <20070129181323.A2ACA1EA615@opay.ru>
Date: Mon, 29 Jan 2007 21:13:23 +0300 (MSK)
From: Dmitri Alenitchev <dmitri@dworlds.ru>
Reply-To: Dmitri Alenitchev <dmitri@dworlds.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] daemon(8): support for dropping privileges
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         108523
>Category:       bin
>Synopsis:       [patch] daemon(8): support for dropping privileges
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trhodes
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 29 18:40:15 GMT 2007
>Closed-Date:    Tue Jul 20 13:02:59 UTC 2010
>Last-Modified:  Tue Jul 20 13:02:59 UTC 2010
>Originator:     Dmitri Alenitchev
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
Digital Worlds J.S.C.
>Environment:
System: FreeBSD opay.ru 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:
	support for dropping privileges to specified user and/or group
>How-To-Repeat:
	
>Fix:

	

--- freebsd-daemon.diff begins here ---
Index: daemon.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/daemon/daemon.8,v
retrieving revision 1.7
diff -u -r1.7 daemon.8
--- daemon.8	24 Aug 2005 17:24:39 -0000	1.7
+++ daemon.8	29 Jan 2007 08:46:53 -0000
@@ -35,13 +35,16 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl cf
+.Op Fl u Ar user
+.Op Fl g Ar group
 .Op Fl p Ar pidfile
 .Ar command arguments ...
 .Sh DESCRIPTION
 The
 .Nm
 utility detaches itself from the controlling terminal and
-executes the program specified by its arguments.
+executes the program specified by its arguments. Privileges can
+be lowered to specified user and/or group.
 .Pp
 The options are as follows:
 .Bl -tag -width indent
@@ -51,6 +54,10 @@
 .It Fl f
 Redirect standard input, standard output and standard error to
 .Pa /dev/null .
+.It Fl u Ar user
+Drop privileges to specified user.
+.It Fl g Ar group
+Drop privileges to specified group.
 .It Fl p Ar file
 Write the ID of the created process into the
 .Ar file
@@ -77,6 +84,8 @@
 .Fl f
 flag is specified.
 .Sh SEE ALSO
+.Xr setregid 2 ,
+.Xr setreuid 2 ,
 .Xr daemon 3 ,
 .Xr exec 3 ,
 .Xr pidfile 3 ,
Index: daemon.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/daemon/daemon.c,v
retrieving revision 1.4
diff -u -r1.4 daemon.c
--- daemon.c	24 Aug 2005 17:24:39 -0000	1.4
+++ daemon.c	29 Jan 2007 08:46:53 -0000
@@ -35,11 +35,14 @@
 
 #include <err.h>
 #include <errno.h>
+#include <pwd.h>
+#include <grp.h>
 #include <libutil.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 
+static void restrict_process(const char *, const char *);
 static void usage(void);
 
 int
@@ -47,12 +50,12 @@
 {
 	struct pidfh *pfh;
 	int ch, nochdir, noclose, errcode;
-	const char *pidfile;
+	const char *pidfile, *user, *group;
 	pid_t otherpid;
 
 	nochdir = noclose = 1;
-	pidfile = NULL;
-	while ((ch = getopt(argc, argv, "-cfp:")) != -1) {
+	pidfile = user = group = NULL;
+	while ((ch = getopt(argc, argv, "-cfu:g:p:")) != -1) {
 		switch (ch) {
 		case 'c':
 			nochdir = 0;
@@ -60,6 +63,12 @@
 		case 'f':
 			noclose = 0;
 			break;
+		case 'u':
+			user = optarg;
+			break;
+		case 'g':
+			group = optarg;
+			break;
 		case 'p':
 			pidfile = optarg;
 			break;
@@ -72,6 +81,14 @@
 
 	if (argc == 0)
 		usage();
+
+	if (user || group) {
+		if (geteuid() != 0)
+			errx(1, "Only root user is allowed to chroot & "
+			    "change UID/GID");
+		restrict_process(user, group);	    
+	}
+
 	/*
 	 * Try to open the pidfile before calling daemon(3),
 	 * to be able to report the error intelligently
@@ -109,9 +126,32 @@
 }
 
 static void
+restrict_process(const char *user, const char *group)
+{
+	struct group *gr = NULL;
+	struct passwd *pw = NULL;
+	errno = 0;
+
+	if (group != NULL) {
+		if ((gr = getgrnam(group)) == NULL)
+			errx(1, "Group %s does not exist", group);
+		if (setregid(gr->gr_gid, gr->gr_gid) == -1)
+			err(1, "%s", group);
+	}
+
+	if (user != NULL) {
+		if ((pw = getpwnam(user)) == NULL)
+			errx(1, "User %s does not exist", user);
+		if (setreuid(pw->pw_uid, pw->pw_uid) == -1)
+			err(1, "%s", user);
+	}		
+}
+
+static void
 usage(void)
 {
 	(void)fprintf(stderr,
-	    "usage: daemon [-cf] [-p pidfile] command arguments ...\n");
+	    "usage: daemon [-cf] [-u user] [-g group] [-p pidfile] command "
+	    "arguments ...\n");
 	exit(1);
 }
--- freebsd-daemon.diff ends here ---


>Release-Note:
>Audit-Trail:

From: Mike Pritchard <mpp@mail.mppsystems.com>
To: Dmitri Alenitchev <dmitri@dworlds.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/108523: [patch] daemon(8): support for dropping privileges
Date: Mon, 29 Jan 2007 14:59:21 -0600

 On Mon, Jan 29, 2007 at 09:13:23PM +0300, Dmitri Alenitchev wrote:
 > 
 > >Number:         108523
 > >Category:       bin
 > >Synopsis:       [patch] daemon(8): support for dropping privileges
 > >Description:
 > 	support for dropping privileges to specified user and/or group
 > >How-To-Repeat:
 > 	
 > >Fix:
 > @@ -109,9 +126,32 @@
 >  }
 >  
 >  static void
 > +restrict_process(const char *user, const char *group)
 > +{
 > +	struct group *gr = NULL;
 > +	struct passwd *pw = NULL;
 > +	errno = 0;
 > +
 > +	if (group != NULL) {
 > +		if ((gr = getgrnam(group)) == NULL)
 > +			errx(1, "Group %s does not exist", group);
 > +		if (setregid(gr->gr_gid, gr->gr_gid) == -1)
 > +			err(1, "%s", group);
 > +	}
 > +
 > +	if (user != NULL) {
 > +		if ((pw = getpwnam(user)) == NULL)
 > +			errx(1, "User %s does not exist", user);
 > +		if (setreuid(pw->pw_uid, pw->pw_uid) == -1)
 > +			err(1, "%s", user);
 > +	}		
 > +}
 
 The group list should also be set with initgroups().  And I
 think setgid() and setuid() are the preferred methods of changing
 the gid/uid, not setre*id().
 -- 
 Mike Pritchard
 mpp @ mppsystems.com or mpp @ FreeBSD.org
 "If tyranny and oppression come to this land, it will be in the guise
 of fighting a foreign enemy."  - James Madison (1787)
State-Changed-From-To: open->patched 
State-Changed-By: trhodes 
State-Changed-When: Fri Mar 9 09:34:07 UTC 2007 
State-Changed-Why:  
Slightly different version of your patch, based from follow up, 
has been committed to CURRENT.  Thanks! 


Responsible-Changed-From-To: freebsd-bugs->trhodes 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Fri Mar 9 09:34:07 UTC 2007 
Responsible-Changed-Why:  
Over to me. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108523 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/108523: commit references a PR
Date: Fri,  9 Mar 2007 09:33:27 +0000 (UTC)

 trhodes     2007-03-09 09:33:19 UTC
 
   FreeBSD src repository
 
   Modified files:
     usr.sbin/daemon      daemon.8 daemon.c 
   Log:
   Add support for dropping privileges to a specified user and/or group.
   
   PR:             108523
   Submitted by:   Dmitri Alenitchev <dmitri@dworlds.ru> (original version)
   Reviewed by:    mpp (first reply to PR)
   
   Revision  Changes    Path
   1.8       +10 -1     src/usr.sbin/daemon/daemon.8
   1.5       +46 -4     src/usr.sbin/daemon/daemon.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/108523: [patch] daemon(8): support for dropping privileges
Date: Sun, 1 Jun 2008 15:10:04 +0100 (BST)

 This has not yet been MFC'd to 6.x.  When it gets done, it looks like 
 daemon.c 1.5-1.8 all need to be merged.
State-Changed-From-To: patched->closed 
State-Changed-By: gavin 
State-Changed-When: Tue Jul 20 13:02:24 UTC 2010 
State-Changed-Why:  
This is in 7.0 and up, and is unlikely to ever be merged back to 6.x 
now.  Close. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108523 
>Unformatted:
