Add privileged services
This allows running things like kfcgi which do their own privilege dropping and chrooting. Need to update the examples with something like that.
This commit is contained in:
parent
e381f7bbe3
commit
7d04a0f5e0
@ -1,4 +1,4 @@
|
|||||||
.Dd August 13, 2020
|
.Dd August 16, 2020
|
||||||
.Dt CATSIT.CONF 5
|
.Dt CATSIT.CONF 5
|
||||||
.Os
|
.Os
|
||||||
.
|
.
|
||||||
@ -45,6 +45,19 @@ is executed using the shell.
|
|||||||
The shell variable
|
The shell variable
|
||||||
.Va $0
|
.Va $0
|
||||||
is set to the name of the service.
|
is set to the name of the service.
|
||||||
|
.
|
||||||
|
.It Ar @service Ar command ...
|
||||||
|
Service names beginning with
|
||||||
|
.Ql @
|
||||||
|
define
|
||||||
|
.Em privileged
|
||||||
|
services,
|
||||||
|
which are started with the same user and group as
|
||||||
|
.Xr catsitd 8 .
|
||||||
|
This can be used for services
|
||||||
|
which drop their own privileges
|
||||||
|
or which call
|
||||||
|
.Xr chroot 2 .
|
||||||
.El
|
.El
|
||||||
.
|
.
|
||||||
.Sh EXAMPLES
|
.Sh EXAMPLES
|
||||||
|
1
daemon.h
1
daemon.h
@ -112,6 +112,7 @@ enum State {
|
|||||||
struct Service {
|
struct Service {
|
||||||
char *name;
|
char *name;
|
||||||
char *command;
|
char *command;
|
||||||
|
bool privileged;
|
||||||
enum State intent;
|
enum State intent;
|
||||||
enum State state;
|
enum State state;
|
||||||
pid_t pid;
|
pid_t pid;
|
||||||
|
16
service.c
16
service.c
@ -100,6 +100,8 @@ int serviceAdd(const char *name, const char *command) {
|
|||||||
service->command = strdup(command);
|
service->command = strdup(command);
|
||||||
if (!service->command) goto err;
|
if (!service->command) goto err;
|
||||||
|
|
||||||
|
if (name[0] == '@') service->privileged = true;
|
||||||
|
|
||||||
int error = pipe2(service->outPipe, O_CLOEXEC);
|
int error = pipe2(service->outPipe, O_CLOEXEC);
|
||||||
if (error) goto err;
|
if (error) goto err;
|
||||||
|
|
||||||
@ -181,14 +183,16 @@ void serviceStart(struct Service *service) {
|
|||||||
int error = chdir(serviceDir);
|
int error = chdir(serviceDir);
|
||||||
if (error) err(ExitNoExec, "%s", serviceDir);
|
if (error) err(ExitNoExec, "%s", serviceDir);
|
||||||
|
|
||||||
error = setgid(serviceGID);
|
if (!service->privileged) {
|
||||||
if (error) err(ExitNoExec, "setgid");
|
error = setgid(serviceGID);
|
||||||
|
if (error) err(ExitNoExec, "setgid");
|
||||||
|
|
||||||
error = setgroups(1, &serviceGID);
|
error = setgroups(1, &serviceGID);
|
||||||
if (error) err(ExitNoExec, "setgroups");
|
if (error) err(ExitNoExec, "setgroups");
|
||||||
|
|
||||||
error = setuid(serviceUID);
|
error = setuid(serviceUID);
|
||||||
if (error) err(ExitNoExec, "setuid");
|
if (error) err(ExitNoExec, "setuid");
|
||||||
|
}
|
||||||
|
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
char command[ARG_MAX];
|
char command[ARG_MAX];
|
||||||
|
Loading…
Reference in New Issue
Block a user