<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 23, 2015 at 5:28 PM, Stijn Tintel <span dir="ltr"><<a href="mailto:stijn@linux-ipv6.be" target="_blank">stijn@linux-ipv6.be</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 23-03-15 12:31, Alexandru Ardelean wrote:<br>
> Helpful to disable when debugging lldpd crashes (when working on it).<br>
> When priviledge separation is on, some crashes are stack-traced to<br>
> some priviledge separation code.<br>
</span>Nitpicking, but the correct spelling is "privilege".<br>
<span>> Signed-off-by: Alexandru Ardelean <<a href="mailto:ardeleanalex@gmail.com" target="_blank">ardeleanalex@gmail.com</a>><br>
> ---<br>
>  package/network/services/lldpd/Config.in           |  5 ++<br>
>  package/network/services/lldpd/Makefile            |  2 +<br>
>  ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73 ++++++++++++++++++++++<br>
>  3 files changed, 80 insertions(+)<br>
>  create mode 100644 package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch<br>
><br>
> diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in<br>
> index a416490..4a8b5e7d 100644<br>
> --- a/package/network/services/lldpd/Config.in<br>
> +++ b/package/network/services/lldpd/Config.in<br>
> @@ -1,6 +1,11 @@<br>
>  menu "Configuration"<br>
>       depends on PACKAGE_lldpd<br>
><br>
> +config LLDPD_WITH_PRIVSEP<br>
> +     bool<br>
> +     default y<br>
> +     prompt "Enable priviledge separation (run lldpd with a chrooted 'lldpd' user)"<br>
</span>Id.<br>
<div><div>> +<br>
>  config LLDPD_WITH_CDP<br>
>       bool<br>
>       default y<br>
> diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile<br>
> index ff367f1..d80840e 100644<br>
> --- a/package/network/services/lldpd/Makefile<br>
> +++ b/package/network/services/lldpd/Makefile<br>
> @@ -85,9 +85,11 @@ define Package/lldpd/conffiles<br>
>  endef<br>
><br>
>  CONFIGURE_ARGS += \<br>
> +     $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \<br>
>       --with-privsep-user=lldp \<br>
>       --with-privsep-group=lldp \<br>
>       --with-privsep-chroot=/var/run/lldp \<br>
> +     ,--disable-privsep) \<br>
>       --with-readline=no \<br>
>       --with-embedded-libevent=no \<br>
>       $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \<br>
> diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch<br>
> new file mode 100644<br>
> index 0000000..907c21b<br>
> --- /dev/null<br>
> +++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch<br>
> @@ -0,0 +1,73 @@<br>
> +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001<br>
> +From: Vincent Bernat <<a href="mailto:vincent@bernat.im" target="_blank">vincent@bernat.im</a>><br>
> +Date: Thu, 12 Feb 2015 08:07:43 +0100<br>
> +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled<br>
> +<br>
> +Closes #95<br>
> +---<br>
> + src/daemon/lldpd.c | 10 ++++++++++<br>
> + 1 file changed, 10 insertions(+)<br>
> +<br>
> +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c<br>
> +index f868fc7..6a3a160 100644<br>
> +--- a/src/daemon/lldpd.c<br>
> ++++ b/src/daemon/lldpd.c<br>
> +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])<br>
> +     int receiveonly = 0;<br>
> +     int ctl;<br>
> +<br>
> ++#ifdef ENABLE_PRIVSEP<br>
> +     /* Non privileged user */<br>
> +     struct passwd *user;<br>
> +     struct group *group;<br>
> +     uid_t uid;<br>
> +     gid_t gid;<br>
> ++#endif<br>
> +<br>
> +     saved_argv = argv;<br>
> +<br>
> +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])<br>
> +     log_debug("main", "lldpd starting...");<br>
> +<br>
> +     /* Grab uid and gid to use for priv sep */<br>
> ++#ifdef ENABLE_PRIVSEP<br>
> +     if ((user = getpwnam(PRIVSEP_USER)) == NULL)<br>
> +             fatal("main", "no " PRIVSEP_USER " user for privilege separation");<br>
> +     uid = user->pw_uid;<br>
> +     if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)<br>
> +             fatal("main", "no " PRIVSEP_GROUP " group for privilege separation");<br>
> +     gid = group->gr_gid;<br>
> ++#endif<br>
> +<br>
> +     /* Create and setup socket */<br>
> +     int retry = 1;<br>
> +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])<br>
> +             log_warn("main", "unable to create control socket");<br>
> +             fatalx("giving up");<br>
> +     }<br>
> ++#ifdef ENABLE_PRIVSEP<br>
> +     if (chown(ctlname, uid, gid) == -1)<br>
> +             log_warn("main", "unable to chown control socket");<br>
> +     if (chmod(ctlname,<br>
> +             S_IRUSR | S_IWUSR | S_IXUSR |<br>
> +             S_IRGRP | S_IWGRP | S_IXGRP) == -1)<br>
> +             log_warn("main", "unable to chmod control socket");<br>
> ++#endif<br>
> +<br>
> +     /* Disable SIGPIPE */<br>
> +     signal(SIGPIPE, SIG_IGN);<br>
> +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])<br>
> +     }<br>
> +<br>
> +     log_debug("main", "initialize privilege separation");<br>
> ++#ifdef ENABLE_PRIVSEP<br>
> +     priv_init(PRIVSEP_CHROOT, ctl, uid, gid);<br>
> ++#else<br>
> ++    priv_init(PRIVSEP_CHROOT, ctl, 0, 0);<br>
> ++#endif<br>
> +<br>
> +     /* Initialization of global configuration */<br>
> +     if ((cfg = (struct lldpd *)<br>
> +--<br>
> +2.1.2<br>
> +<br>
</div></div>Kind regards,<br>
Stijn<br>
_______________________________________________<br>
openwrt-devel mailing list<br>
<a href="mailto:openwrt-devel@lists.openwrt.org" target="_blank">openwrt-devel@lists.openwrt.org</a><br>
<a href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel" target="_blank">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a><br>
</blockquote></div>Will re-send.<br></div><div class="gmail_extra">Thanks<br></div><div class="gmail_extra"><br></div></div>