now winix can demonize itself
parameter in the config: demonize (default: true) git-svn-id: svn://ttmath.org/publicrep/winix/trunk@669 e52654a7-88a9-db11-a3e9-0013d4bc506e
This commit is contained in:
parent
9c34cb5862
commit
c6473f20dc
366
core/app.cpp
366
core/app.cpp
|
@ -7,8 +7,8 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
@ -723,16 +723,16 @@ Error status = request.status;
|
||||||
|
|
||||||
void App::LogUser(const char * msg, uid_t id)
|
void App::LogUser(const char * msg, uid_t id)
|
||||||
{
|
{
|
||||||
log << log3 << msg << " ";
|
log << log3 << msg << " ";
|
||||||
|
|
||||||
passwd * p = getpwuid(id);
|
passwd * p = getpwuid(id);
|
||||||
|
|
||||||
if( p )
|
if( p )
|
||||||
log << p->pw_name;
|
log << p->pw_name;
|
||||||
else
|
else
|
||||||
log << id;
|
log << id;
|
||||||
|
|
||||||
log << logend;
|
log << logend;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -740,104 +740,104 @@ void App::LogGroup(const char * msg, gid_t id, bool put_logend)
|
||||||
{
|
{
|
||||||
log << log3 << msg << " ";
|
log << log3 << msg << " ";
|
||||||
|
|
||||||
group * g = getgrgid(id);
|
group * g = getgrgid(id);
|
||||||
|
|
||||||
if( g )
|
if( g )
|
||||||
log << g->gr_name;
|
log << g->gr_name;
|
||||||
else
|
else
|
||||||
log << (int)id;
|
log << (int)id;
|
||||||
|
|
||||||
if( put_logend )
|
if( put_logend )
|
||||||
log << logend;
|
log << logend;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void App::LogUsers()
|
void App::LogUsers()
|
||||||
{
|
{
|
||||||
uid_t eid, rid;
|
uid_t eid, rid;
|
||||||
|
|
||||||
eid = geteuid();
|
eid = geteuid();
|
||||||
rid = getuid();
|
rid = getuid();
|
||||||
|
|
||||||
if( eid == rid )
|
if( eid == rid )
|
||||||
{
|
{
|
||||||
LogUser("App: effective/real user:", eid);
|
LogUser("App: effective/real user:", eid);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogUser("App: effective user:", eid);
|
LogUser("App: effective user:", eid);
|
||||||
LogUser("App: real user:", rid);
|
LogUser("App: real user:", rid);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
void App::LogEffectiveGroups(std::vector<gid_t> & tab)
|
void App::LogEffectiveGroups(std::vector<gid_t> & tab)
|
||||||
{
|
{
|
||||||
log << log3 << "App: effective groups:";
|
log << log3 << "App: effective groups:";
|
||||||
|
|
||||||
for(size_t i=0 ; i<tab.size() ; ++i)
|
for(size_t i=0 ; i<tab.size() ; ++i)
|
||||||
{
|
{
|
||||||
bool was_printed = false;
|
bool was_printed = false;
|
||||||
|
|
||||||
for(size_t x=0 ; x<i ; ++x)
|
for(size_t x=0 ; x<i ; ++x)
|
||||||
{
|
{
|
||||||
if( tab[i] == tab[x] )
|
if( tab[i] == tab[x] )
|
||||||
{
|
{
|
||||||
was_printed = true;
|
was_printed = true;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if( !was_printed )
|
if( !was_printed )
|
||||||
LogGroup("", tab[i], false);
|
LogGroup("", tab[i], false);
|
||||||
}
|
}
|
||||||
|
|
||||||
log << logend;
|
log << logend;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void App::LogGroups()
|
void App::LogGroups()
|
||||||
{
|
{
|
||||||
std::vector<gid_t> tab;
|
std::vector<gid_t> tab;
|
||||||
gid_t rgid;
|
gid_t rgid;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
rgid = getgid();
|
rgid = getgid();
|
||||||
len = getgroups(0, 0);
|
len = getgroups(0, 0);
|
||||||
|
|
||||||
if( len <= 0 )
|
if( len <= 0 )
|
||||||
{
|
{
|
||||||
log << log3 << "App: I can't read how many groups there are" << logend;
|
log << log3 << "App: I can't read how many groups there are" << logend;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
tab.resize(len);
|
tab.resize(len);
|
||||||
len = getgroups(len, &(tab[0]));
|
len = getgroups(len, &(tab[0]));
|
||||||
|
|
||||||
if( len == -1 )
|
if( len == -1 )
|
||||||
{
|
{
|
||||||
log << log3 << "App: I can't read groups" << logend;
|
log << log3 << "App: I can't read groups" << logend;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( len == 1 && rgid == tab[0] )
|
if( len == 1 && rgid == tab[0] )
|
||||||
{
|
{
|
||||||
LogGroup("App: effective/real group:", rgid);
|
LogGroup("App: effective/real group:", rgid);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
tab.resize(len);
|
tab.resize(len);
|
||||||
LogEffectiveGroups(tab);
|
LogEffectiveGroups(tab);
|
||||||
LogGroup("App: real group:", rgid);
|
LogGroup("App: real group:", rgid);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
void App::LogUserGroups()
|
void App::LogUserGroups()
|
||||||
{
|
{
|
||||||
LogUsers();
|
LogUsers();
|
||||||
LogGroups();
|
LogGroups();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -846,84 +846,114 @@ bool App::DropPrivileges(const std::string & user, uid_t uid, gid_t gid, bool ad
|
||||||
{
|
{
|
||||||
if( additional_groups )
|
if( additional_groups )
|
||||||
{
|
{
|
||||||
if( initgroups(user.c_str(), gid) < 0 )
|
if( initgroups(user.c_str(), gid) < 0 )
|
||||||
{
|
{
|
||||||
log << log1 << "App: I can't init groups for user: " << user << logend << logsave;
|
log << log1 << "App: I can't init groups for user: " << user << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if( setgroups(1, &gid) < 0 )
|
if( setgroups(1, &gid) < 0 )
|
||||||
{
|
{
|
||||||
log << log1 << "App: I can't init groups for user: " << user << logend << logsave;
|
log << log1 << "App: I can't init groups for user: " << user << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// for setting real and saved gid too
|
// for setting real and saved gid too
|
||||||
if( setgid(gid) )
|
if( setgid(gid) )
|
||||||
{
|
{
|
||||||
log << log1 << "App: I can't change real and saved gid" << logend << logsave;
|
log << log1 << "App: I can't change real and saved gid" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( setuid(uid) < 0 )
|
if( setuid(uid) < 0 )
|
||||||
{
|
{
|
||||||
log << log1 << "App: I can't drop privileges to user: " << user
|
log << log1 << "App: I can't drop privileges to user: " << user
|
||||||
<< " (uid:" << uid << ")" << logend << logsave;
|
<< " (uid:" << uid << ")" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( getuid()==0 || geteuid()==0 )
|
if( getuid()==0 || geteuid()==0 )
|
||||||
{
|
{
|
||||||
log << log1 << "App: sorry, for security reasons you should not run me as the root" << logend << logsave;
|
log << log1 << "App: sorry, for security reasons you should not run me as the root" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
bool App::DropPrivileges()
|
bool App::DropPrivileges()
|
||||||
{
|
{
|
||||||
if( getuid()!=0 && geteuid()!=0 )
|
if( getuid()!=0 && geteuid()!=0 )
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
log << log2 << "App: dropping privileges" << logend;
|
log << log2 << "App: dropping privileges" << logend;
|
||||||
|
|
||||||
if( config.user.empty() )
|
if( config.user.empty() )
|
||||||
{
|
{
|
||||||
log << log1 << "App: you should specify user name in the config file "
|
log << log1 << "App: you should specify user name in the config file "
|
||||||
<< "to which I have to drop privileges" << logend << logsave;
|
<< "to which I have to drop privileges" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( config.group.empty() )
|
if( config.group.empty() )
|
||||||
{
|
{
|
||||||
log << log1 << "App: you should specify group name in the config file "
|
log << log1 << "App: you should specify group name in the config file "
|
||||||
<< "to which I have to drop privileges" << logend << logsave;
|
<< "to which I have to drop privileges" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
passwd * p = getpwnam(config.user.c_str());
|
passwd * p = getpwnam(config.user.c_str());
|
||||||
group * g = getgrnam(config.group.c_str());
|
group * g = getgrnam(config.group.c_str());
|
||||||
|
|
||||||
if( !p )
|
if( !p )
|
||||||
{
|
{
|
||||||
log << log1 << "App: there is no such a user as: \"" << config.user << "\"" << logend << logsave;
|
log << log1 << "App: there is no such a user as: \"" << config.user << "\"" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( !g )
|
if( !g )
|
||||||
{
|
{
|
||||||
log << log1 << "App: there is no such a group as: \"" << config.group << "\"" << logend << logsave;
|
log << log1 << "App: there is no such a group as: \"" << config.group << "\"" << logend << logsave;
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( !DropPrivileges(config.user, p->pw_uid, g->gr_gid, config.additional_groups) )
|
if( !DropPrivileges(config.user, p->pw_uid, g->gr_gid, config.additional_groups) )
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
bool App::Demonize()
|
||||||
|
{
|
||||||
|
// in linux fork() should be used twice
|
||||||
|
|
||||||
|
int pid = fork();
|
||||||
|
|
||||||
|
if( pid == -1 )
|
||||||
|
{
|
||||||
|
log << log1 << "App: I can't demonize myself (fork problem)" << logend << logsave;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( pid != 0 )
|
||||||
|
{
|
||||||
|
// parent
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
// child
|
||||||
|
if( setsid() == -1 )
|
||||||
|
{
|
||||||
|
log << log1 << "App: I can't demonize myself (setsid problem)" << logend << logsave;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@ public:
|
||||||
void Close();
|
void Close();
|
||||||
bool DropPrivileges();
|
bool DropPrivileges();
|
||||||
void LogUserGroups();
|
void LogUserGroups();
|
||||||
|
bool Demonize();
|
||||||
|
|
||||||
// configuration read from a config file
|
// configuration read from a config file
|
||||||
Config config;
|
Config config;
|
||||||
|
|
|
@ -89,6 +89,8 @@ bool Config::ReadConfig(bool errors_to_stdout_, bool stdout_is_closed)
|
||||||
|
|
||||||
void Config::AssignValues(bool stdout_is_closed)
|
void Config::AssignValues(bool stdout_is_closed)
|
||||||
{
|
{
|
||||||
|
demonize = Bool("demonize", true);
|
||||||
|
|
||||||
user = Text("user");
|
user = Text("user");
|
||||||
group = Text("group");
|
group = Text("group");
|
||||||
additional_groups = Bool("additional_groups", true);
|
additional_groups = Bool("additional_groups", true);
|
||||||
|
|
|
@ -21,9 +21,14 @@ class Config
|
||||||
{
|
{
|
||||||
public:
|
public:
|
||||||
|
|
||||||
// name of the config file (full path can be)
|
// name of the config file
|
||||||
|
// this is the parameter passed to winix programm
|
||||||
std::string config_file;
|
std::string config_file;
|
||||||
|
|
||||||
|
// start as a demon (in the background)
|
||||||
|
// default: true
|
||||||
|
bool demonize;
|
||||||
|
|
||||||
// system user name (to which drop privileges)
|
// system user name (to which drop privileges)
|
||||||
// used only if winix is started as the root
|
// used only if winix is started as the root
|
||||||
std::string user;
|
std::string user;
|
||||||
|
@ -47,6 +52,8 @@ public:
|
||||||
int log_level;
|
int log_level;
|
||||||
|
|
||||||
// logging to stdout too
|
// logging to stdout too
|
||||||
|
// only if demonize is 'false'
|
||||||
|
// default: false
|
||||||
bool log_stdout;
|
bool log_stdout;
|
||||||
|
|
||||||
// how many requests should be logged in the same time
|
// how many requests should be logged in the same time
|
||||||
|
|
|
@ -68,7 +68,7 @@ int main(int argv, char ** argc)
|
||||||
if( !app.config.ReadConfig(true, false) ) /* errors to stdout, stdout in not closed */
|
if( !app.config.ReadConfig(true, false) ) /* errors to stdout, stdout in not closed */
|
||||||
return 2;
|
return 2;
|
||||||
|
|
||||||
if( app.stdout_is_closed )
|
if( app.stdout_is_closed || app.config.demonize )
|
||||||
app.config.log_stdout = false;
|
app.config.log_stdout = false;
|
||||||
|
|
||||||
// closing descriptors only at the beginning
|
// closing descriptors only at the beginning
|
||||||
|
@ -90,6 +90,9 @@ int main(int argv, char ** argc)
|
||||||
|
|
||||||
app.LogUserGroups();
|
app.LogUserGroups();
|
||||||
|
|
||||||
|
if( app.config.demonize && !app.Demonize() )
|
||||||
|
return 4;
|
||||||
|
|
||||||
// app.config.base_server can be changed (stripped from 'http://' or a last slash)
|
// app.config.base_server can be changed (stripped from 'http://' or a last slash)
|
||||||
// it is done when the config is read
|
// it is done when the config is read
|
||||||
log << log3 << "base_server: " << app.config.base_server << logend;
|
log << log3 << "base_server: " << app.config.base_server << logend;
|
||||||
|
|
Loading…
Reference in New Issue