forked from Telodendria/Telodendria
Change behavior of "id" configuration directive.
This commit is contained in:
parent
efbbf42a6e
commit
8e71cc833c
4 changed files with 79 additions and 50 deletions
|
@ -5,9 +5,6 @@
|
||||||
server-name "localhost";
|
server-name "localhost";
|
||||||
base-url "http://localhost:8008";
|
base-url "http://localhost:8008";
|
||||||
|
|
||||||
# Replace this with your UNIX username
|
|
||||||
id "jordan";
|
|
||||||
|
|
||||||
# Make this directory if Telodendria complains that it's missing.
|
# Make this directory if Telodendria complains that it's missing.
|
||||||
data-dir "./data";
|
data-dir "./data";
|
||||||
|
|
||||||
|
|
|
@ -18,10 +18,12 @@ server-name "example.com";
|
||||||
base-url "https://matrix.example.com";
|
base-url "https://matrix.example.com";
|
||||||
identity-server "https://identity.example.com";
|
identity-server "https://identity.example.com";
|
||||||
|
|
||||||
id "_telodendria" "_telodendria";
|
id "_telodendria";
|
||||||
data-dir "/var/telodendria";
|
data-dir "/var/telodendria";
|
||||||
|
|
||||||
federation "true";
|
federation "true";
|
||||||
registration "false";
|
registration "false";
|
||||||
|
|
||||||
log "file" {
|
log "file" {
|
||||||
level "warning";
|
level "warning";
|
||||||
timestampFormat "default";
|
timestampFormat "default";
|
||||||
|
|
|
@ -346,22 +346,6 @@ main(int argc, char **argv)
|
||||||
Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags);
|
Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags);
|
||||||
LogConfigUnindent(lc);
|
LogConfigUnindent(lc);
|
||||||
|
|
||||||
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
|
|
||||||
|
|
||||||
userInfo = getpwnam(tConfig->uid);
|
|
||||||
groupInfo = getgrnam(tConfig->gid);
|
|
||||||
|
|
||||||
if (!userInfo || !groupInfo)
|
|
||||||
{
|
|
||||||
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
|
|
||||||
exit = EXIT_FAILURE;
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Arguments to pass into the HTTP handler */
|
/* Arguments to pass into the HTTP handler */
|
||||||
matrixArgs.lc = lc;
|
matrixArgs.lc = lc;
|
||||||
matrixArgs.config = tConfig;
|
matrixArgs.config = tConfig;
|
||||||
|
@ -377,9 +361,31 @@ main(int argc, char **argv)
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
|
||||||
|
|
||||||
|
if (tConfig->uid && tConfig->gid)
|
||||||
|
{
|
||||||
|
userInfo = getpwnam(tConfig->uid);
|
||||||
|
groupInfo = getgrnam(tConfig->gid);
|
||||||
|
|
||||||
|
if (!userInfo || !groupInfo)
|
||||||
|
{
|
||||||
|
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
|
||||||
|
exit = EXIT_FAILURE;
|
||||||
|
goto finish;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Log(lc, LOG_DEBUG, "No user/group info specified in the config.");
|
||||||
|
}
|
||||||
|
|
||||||
if (getuid() == 0)
|
if (getuid() == 0)
|
||||||
{
|
{
|
||||||
#ifndef __OpenBSD__
|
|
||||||
if (chroot(".") == 0)
|
if (chroot(".") == 0)
|
||||||
{
|
{
|
||||||
Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir);
|
Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir);
|
||||||
|
@ -388,30 +394,41 @@ main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir);
|
Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir);
|
||||||
}
|
}
|
||||||
#else
|
|
||||||
Log(lc, LOG_DEBUG, "Not attempting chroot() after pledge() and unveil().");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0)
|
if (tConfig->uid && tConfig->gid)
|
||||||
{
|
{
|
||||||
Log(lc, LOG_WARNING, "Unable to set process uid/gid.");
|
if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0)
|
||||||
|
{
|
||||||
|
Log(lc, LOG_ERROR, "Unable to set process uid/gid.");
|
||||||
|
exit = EXIT_FAILURE;
|
||||||
|
goto finish;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid);
|
Log(lc, LOG_WARNING, "We are running as root, and we are not dropping to another user");
|
||||||
|
Log(lc, LOG_WARNING, "because none was specified in the configuration file.");
|
||||||
|
Log(lc, LOG_WARNING, "This is probably a security issue.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
Log(lc, LOG_DEBUG, "Not changing root directory, because we are not root.");
|
Log(lc, LOG_WARNING, "Not setting root directory, because we are not root.");
|
||||||
|
|
||||||
if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid)
|
if (tConfig->uid && tConfig->gid)
|
||||||
{
|
{
|
||||||
Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration.");
|
if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid)
|
||||||
}
|
{
|
||||||
else
|
Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration.");
|
||||||
{
|
}
|
||||||
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration.");
|
else
|
||||||
|
{
|
||||||
|
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration.");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -157,24 +157,37 @@ TelodendriaConfigParse(HashMap * config, LogConfig * lc)
|
||||||
tConfig->identityServer = NULL;
|
tConfig->identityServer = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
GET_DIRECTIVE("id");
|
directive = (ConfigDirective *) HashMapGet(config, "id");
|
||||||
ASSERT_NO_CHILDREN("id");
|
children = ConfigChildrenGet(directive);
|
||||||
COPY_VALUE(tConfig->uid, 0);
|
value = ConfigValuesGet(directive);
|
||||||
|
|
||||||
switch (ArraySize(value))
|
ASSERT_NO_CHILDREN("id");
|
||||||
|
|
||||||
|
if (directive)
|
||||||
{
|
{
|
||||||
case 1:
|
|
||||||
Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user.");
|
switch (ArraySize(value))
|
||||||
tConfig->gid = UtilStringDuplicate(tConfig->uid);
|
{
|
||||||
break;
|
case 1:
|
||||||
case 2:
|
Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user.");
|
||||||
COPY_VALUE(tConfig->gid, 1);
|
COPY_VALUE(tConfig->uid, 0);
|
||||||
break;
|
tConfig->gid = UtilStringDuplicate(tConfig->uid);
|
||||||
default:
|
break;
|
||||||
Log(lc, LOG_ERROR,
|
case 2:
|
||||||
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.",
|
COPY_VALUE(tConfig->uid, 0);
|
||||||
ArraySize(value));
|
COPY_VALUE(tConfig->gid, 1);
|
||||||
goto error;
|
break;
|
||||||
|
default:
|
||||||
|
Log(lc, LOG_ERROR,
|
||||||
|
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.",
|
||||||
|
ArraySize(value));
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
tConfig->uid = NULL;
|
||||||
|
tConfig->gid = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
GET_DIRECTIVE("data-dir");
|
GET_DIRECTIVE("data-dir");
|
||||||
|
|
Loading…
Reference in a new issue