[OpenWrt-Devel] [PATCH][RESEND] lldpd: add option to disable priviledge separation

Alexandru Ardelean ardeleanalex at gmail.com
Mon Mar 23 11:40:35 EDT 2015 

On Mon, Mar 23, 2015 at 5:28 PM, Stijn Tintel <stijn at linux-ipv6.be> wrote:

> On 23-03-15 12:31, Alexandru Ardelean wrote:
> > Helpful to disable when debugging lldpd crashes (when working on it).
> > When priviledge separation is on, some crashes are stack-traced to
> > some priviledge separation code.
> Nitpicking, but the correct spelling is "privilege".
> > Signed-off-by: Alexandru Ardelean <ardeleanalex at gmail.com>
> > ---
> >  package/network/services/lldpd/Config.in           |  5 ++
> >  package/network/services/lldpd/Makefile            |  2 +
> >  ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73
> ++++++++++++++++++++++
> >  3 files changed, 80 insertions(+)
> >  create mode 100644
> package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> >
> > diff --git a/package/network/services/lldpd/Config.in
> b/package/network/services/lldpd/Config.in
> > index a416490..4a8b5e7d 100644
> > --- a/package/network/services/lldpd/Config.in
> > +++ b/package/network/services/lldpd/Config.in
> > @@ -1,6 +1,11 @@
> >  menu "Configuration"
> >       depends on PACKAGE_lldpd
> >
> > +config LLDPD_WITH_PRIVSEP
> > +     bool
> > +     default y
> > +     prompt "Enable priviledge separation (run lldpd with a chrooted
> 'lldpd' user)"
> Id.
> > +
> >  config LLDPD_WITH_CDP
> >       bool
> >       default y
> > diff --git a/package/network/services/lldpd/Makefile
> b/package/network/services/lldpd/Makefile
> > index ff367f1..d80840e 100644
> > --- a/package/network/services/lldpd/Makefile
> > +++ b/package/network/services/lldpd/Makefile
> > @@ -85,9 +85,11 @@ define Package/lldpd/conffiles
> >  endef
> >
> >  CONFIGURE_ARGS += \
> > +     $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
> >       --with-privsep-user=lldp \
> >       --with-privsep-group=lldp \
> >       --with-privsep-chroot=/var/run/lldp \
> > +     ,--disable-privsep) \
> >       --with-readline=no \
> >       --with-embedded-libevent=no \
> >       $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
> > diff --git
> a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> > new file mode 100644
> > index 0000000..907c21b
> > --- /dev/null
> > +++
> b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
> > @@ -0,0 +1,73 @@
> > +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
> > +From: Vincent Bernat <vincent at bernat.im>
> > +Date: Thu, 12 Feb 2015 08:07:43 +0100
> > +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
> > +
> > +Closes #95
> > +---
> > + src/daemon/lldpd.c | 10 ++++++++++
> > + 1 file changed, 10 insertions(+)
> > +
> > +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
> > +index f868fc7..6a3a160 100644
> > +--- a/src/daemon/lldpd.c
> > ++++ b/src/daemon/lldpd.c
> > +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > +     int receiveonly = 0;
> > +     int ctl;
> > +
> > ++#ifdef ENABLE_PRIVSEP
> > +     /* Non privileged user */
> > +     struct passwd *user;
> > +     struct group *group;
> > +     uid_t uid;
> > +     gid_t gid;
> > ++#endif
> > +
> > +     saved_argv = argv;
> > +
> > +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > +     log_debug("main", "lldpd starting...");
> > +
> > +     /* Grab uid and gid to use for priv sep */
> > ++#ifdef ENABLE_PRIVSEP
> > +     if ((user = getpwnam(PRIVSEP_USER)) == NULL)
> > +             fatal("main", "no " PRIVSEP_USER " user for privilege
> separation");
> > +     uid = user->pw_uid;
> > +     if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
> > +             fatal("main", "no " PRIVSEP_GROUP " group for privilege
> separation");
> > +     gid = group->gr_gid;
> > ++#endif
> > +
> > +     /* Create and setup socket */
> > +     int retry = 1;
> > +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > +             log_warn("main", "unable to create control socket");
> > +             fatalx("giving up");
> > +     }
> > ++#ifdef ENABLE_PRIVSEP
> > +     if (chown(ctlname, uid, gid) == -1)
> > +             log_warn("main", "unable to chown control socket");
> > +     if (chmod(ctlname,
> > +             S_IRUSR | S_IWUSR | S_IXUSR |
> > +             S_IRGRP | S_IWGRP | S_IXGRP) == -1)
> > +             log_warn("main", "unable to chmod control socket");
> > ++#endif
> > +
> > +     /* Disable SIGPIPE */
> > +     signal(SIGPIPE, SIG_IGN);
> > +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
> > +     }
> > +
> > +     log_debug("main", "initialize privilege separation");
> > ++#ifdef ENABLE_PRIVSEP
> > +     priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
> > ++#else
> > ++    priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
> > ++#endif
> > +
> > +     /* Initialization of global configuration */
> > +     if ((cfg = (struct lldpd *)
> > +--
> > +2.1.2
> > +
> Kind regards,
> Stijn
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
Will re-send.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150323/e98cb48a/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list