From: Kurt Zeilenga Date: Wed, 21 Apr 1999 00:40:20 +0000 (+0000) Subject: Modify slapd set user/group support to use -u/-g instead -U/-G. X-Git-Tag: OPENLDAP_SLAPD_BACK_LDAP~154 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=7ba980f0f6cc645fdf8763f1a4a6597dfcf3c7c0;p=openldap Modify slapd set user/group support to use -u/-g instead -U/-G. Moved -u (udp) to -c (connectionless). Connectionless is depreciated and undocumented. Added tests for set{,e}{u,g}id to configure. Use existance of setuid/setgid to enable feature. Use seteuid/setegid only if they exist. Fixed minor minor leak of username/groupname if specificied more than once. (This should actually be an error) --- diff --git a/INSTALL b/INSTALL index 3e3fbca00f..752ced0b3b 100644 --- a/INSTALL +++ b/INSTALL @@ -47,12 +47,7 @@ these steps: See the 'USING ENVIRONMENT VARIABLES' section for information on how to use the variables. - 3. edit the file include/ldapconfig.h.edit to configure - the software for your site (the files are well-commented): - - % vi include/ldapconfig.h.edit - - 4. Configure the build system + 3. Configure the build system % [env settings] ./configure [options] @@ -60,6 +55,11 @@ these steps: appropriate settings. Use configure enable/with options and/or environment variables to obtain desired results. + 4. Review the file include/ldapconfig.h.edit. + You generally do not need to modify this file. + + % vi include/ldapconfig.h.edit + 5. Build dependencies % make depend diff --git a/configure b/configure index 78e4202e26..c777719043 100755 --- a/configure +++ b/configure @@ -10808,12 +10808,13 @@ for ac_func in \ endgrent \ endpwent \ flock \ - getdtablesize \ + getdtablesize \ getgrgid \ gethostname \ getpass \ getpwuid \ - gettimeofday \ + gettimeofday \ + initgroups \ lockf \ memcpy \ memmove \ @@ -10821,7 +10822,11 @@ for ac_func in \ recv \ recvfrom \ setpwfile \ + setgid \ + setegid \ setsid \ + setuid \ + seteuid \ signal \ sigset \ snprintf \ @@ -10840,12 +10845,12 @@ for ac_func in \ do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:10844: checking for $ac_func" >&5 +echo "configure:10849: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:10877: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -10896,12 +10901,12 @@ done for ac_func in getopt tempnam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:10900: checking for $ac_func" >&5 +echo "configure:10905: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:10933: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -10954,13 +10959,13 @@ done # Check Configuration echo $ac_n "checking declaration of sys_errlist""... $ac_c" 1>&6 -echo "configure:10958: checking declaration of sys_errlist" >&5 +echo "configure:10963: checking declaration of sys_errlist" >&5 if eval "test \"`echo '$''{'ol_cv_dcl_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -10970,7 +10975,7 @@ int main() { char *c = (char *) *sys_errlist ; return 0; } EOF -if { (eval echo configure:10974: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:10979: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ol_cv_dcl_sys_errlist=yes else @@ -10990,20 +10995,20 @@ if test $ol_cv_dcl_sys_errlist = no ; then EOF echo $ac_n "checking existence of sys_errlist""... $ac_c" 1>&6 -echo "configure:10994: checking existence of sys_errlist" >&5 +echo "configure:10999: checking existence of sys_errlist" >&5 if eval "test \"`echo '$''{'ol_cv_have_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { char *c = (char *) *sys_errlist ; return 0; } EOF -if { (eval echo configure:11007: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:11012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ol_cv_have_sys_errlist=yes else @@ -11027,13 +11032,13 @@ fi echo $ac_n "checking strdup declaration""... $ac_c" 1>&6 -echo "configure:11031: checking strdup declaration" >&5 +echo "configure:11036: checking strdup declaration" >&5 if eval "test \"`echo '$''{'ol_cv_dcl_strdup'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -11041,7 +11046,7 @@ int main() { extern char *strdup(); ; return 0; } EOF -if { (eval echo configure:11045: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:11050: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ol_cv_dcl_strdup=yes else diff --git a/configure.in b/configure.in index d5f1489c27..8bbe32b472 100644 --- a/configure.in +++ b/configure.in @@ -1541,12 +1541,13 @@ AC_CHECK_FUNCS( \ endgrent \ endpwent \ flock \ - getdtablesize \ + getdtablesize \ getgrgid \ gethostname \ getpass \ getpwuid \ - gettimeofday \ + gettimeofday \ + initgroups \ lockf \ memcpy \ memmove \ @@ -1554,7 +1555,11 @@ AC_CHECK_FUNCS( \ recv \ recvfrom \ setpwfile \ + setgid \ + setegid \ setsid \ + setuid \ + seteuid \ signal \ sigset \ snprintf \ diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index f1b89126a9..e8caad5874 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -5,7 +5,7 @@ slapd \- Stand-alone LDAP Daemon .B LIBEXECDIR/slapd [\-d debug\-level] .B [\-f slapd\-config\-file] [\-a address] [\-p port\-number] .B [\-s syslog\-level] [\-l syslog\-local\-user] [\-i] -.B [\-U user] [\-G group] +.B [\-u user] [\-g group] .B .SH DESCRIPTION .LP @@ -99,14 +99,14 @@ Internet standard '.' format. will listen on the default LDAP port (389) unless this option is given to override the default. A numeric port number is expected. .TP -.BI \-U " user" +.BI \-u " user" .B slapd will run slapd with the specified user name or id, and that user's supplementary group access list as set with initgroups(3). The group ID -is also changed to this user's gid, unless the -G option is used to +is also changed to this user's gid, unless the -g option is used to override. .TP -.BI \-G " group" +.BI \-g " group" .B slapd will run with the specified group name or id. .TP diff --git a/include/portable.h.in b/include/portable.h.in index 41703cdc0e..a7fa967975 100644 --- a/include/portable.h.in +++ b/include/portable.h.in @@ -261,6 +261,9 @@ /* Define if you have the gettimeofday function. */ #undef HAVE_GETTIMEOFDAY +/* Define if you have the initgroups function. */ +#undef HAVE_INITGROUPS + /* Define if you have the lockf function. */ #undef HAVE_LOCKF @@ -297,12 +300,24 @@ /* Define if you have the sched_yield function. */ #undef HAVE_SCHED_YIELD +/* Define if you have the setegid function. */ +#undef HAVE_SETEGID + +/* Define if you have the seteuid function. */ +#undef HAVE_SETEUID + +/* Define if you have the setgid function. */ +#undef HAVE_SETGID + /* Define if you have the setpwfile function. */ #undef HAVE_SETPWFILE /* Define if you have the setsid function. */ #undef HAVE_SETSID +/* Define if you have the setuid function. */ +#undef HAVE_SETUID + /* Define if you have the signal function. */ #undef HAVE_SIGNAL diff --git a/servers/slapd/main.c b/servers/slapd/main.c index ee78c5d444..41b794936a 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -57,15 +57,18 @@ static void usage( char *name ) { fprintf( stderr, "usage: %s [-d ?|debuglevel] [-f configfile] [-p portnumber] [-s sysloglevel]", name ); - fprintf( stderr, "\n [-a bind-address] [-i] [-u]" ); + fprintf( stderr, "\n [-a bind-address] [-i]" ); +#if LDAP_CONNECTIONLESS + fprintf( stderr, " [-c]" ); +#endif #ifdef SLAPD_BDB2 fprintf( stderr, " [-t]" ); #endif #ifdef LOG_LOCAL4 fprintf( stderr, " [-l sysloguser]" ); #endif -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) - fprintf( stderr, " [-U user] [-G group]" ); +#if defined(HAVE_SETUID) && defined(HAVE_SETGID) + fprintf( stderr, " [-u user] [-g group]" ); #endif fprintf( stderr, "\n" ); } @@ -84,7 +87,7 @@ main( int argc, char **argv ) #ifdef LOG_LOCAL4 int syslogUser = DEFAULT_SYSLOG_USER; #endif -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) +#if defined(HAVE_SETUID) && defined(HAVE_SETGID) char *username = NULL, *groupname = NULL; #endif char *configfile; @@ -102,15 +105,15 @@ main( int argc, char **argv ) g_argv = argv; while ( (i = getopt( argc, argv, - "d:f:ia:p:s:u" + "d:f:ia:p:s:c" #ifdef LOG_LOCAL4 "l:" #endif #ifdef SLAPD_BDB2 "t" #endif -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) - "U:G:" +#if defined(HAVE_SETUID) && defined(HAVE_SETGID) + "u:g:" #endif )) != EOF ) { switch ( i ) { @@ -195,9 +198,11 @@ main( int argc, char **argv ) break; #endif - case 'u': /* do udp */ +#ifdef LDAP_CONNECTIONLESS + case 'c': /* do connectionless (udp) */ udp = 1; break; +#endif #ifdef SLAPD_BDB2 case 't': /* timed server */ @@ -205,15 +210,17 @@ main( int argc, char **argv ) break; #endif -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) - case 'U': /* user name */ +#if defined(HAVE_SETUID) && defined(HAVE_GETUID) + case 'u': /* user name */ + if( username ) free(username); username = ch_strdup( optarg ); break; - case 'G': /* group name */ + case 'g': /* group name */ + if( groupname ) free(groupname); groupname = ch_strdup( optarg ); break; -#endif /* HAVE_PWD_H && HAVE_GRP_H */ +#endif /* SETUID && GETUID */ default: usage( argv[0] ); @@ -241,7 +248,7 @@ main( int argc, char **argv ) tcps = set_socket( inetd ? NULL : &bind_addr ); -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) +#if defined(HAVE_SETUID) && defined(HAVE_SETGID) if ( username != NULL || groupname != NULL ) slap_init_user( username, groupname ); #endif diff --git a/servers/slapd/user.c b/servers/slapd/user.c index e7d7252e01..e92598d800 100644 --- a/servers/slapd/user.c +++ b/servers/slapd/user.c @@ -11,12 +11,17 @@ #include "portable.h" -#if defined(HAVE_PWD_H) && defined(HAVE_GRP_H) +#if defined(HAVE_SETUID) && defined(HAVE_SETGID) #include #include + +#ifdef HAVE_PWD_H #include +#endif +#ifdef HAVE_GRP_H #include +#endif #include #include @@ -31,7 +36,7 @@ void slap_init_user( char *user, char *group ) { - uid_t uid = (gid_t) -1; + uid_t uid = (uid_t) -1; gid_t gid = (gid_t) -1; if ( user ) { @@ -104,11 +109,13 @@ slap_init_user( char *user, char *group ) gid, 0, 0 ); exit( 1 ); } +#ifdef HAVE_SETEGID if ( setegid( gid ) != 0 ) { Debug( LDAP_DEBUG_ANY, "Could not set effective group id to %d\n", gid, 0, 0 ); exit( 1 ); } +#endif } if ( uid >= 0 ) { @@ -117,11 +124,13 @@ slap_init_user( char *user, char *group ) uid, 0, 0 ); exit( 1 ); } +#ifdef HAVE_SETEUID if ( seteuid( uid ) != 0 ) { Debug( LDAP_DEBUG_ANY, "Could not set real user id to %d\n", uid, 0, 0 ); exit( 1 ); } +#endif } }