[Spread-users] [PATCH] spread_params.h configuration via spread.conf

Daniel Rall dlr at finemaltcoding.com
Tue Aug 27 17:49:18 EDT 2002


The following patch takes three #defines from spread_params.h which
were previously configurable only at compile-time (SP_RUNTIME_DIR,
SP_USER, and SP_GROUP), and allows (optional) runtime configuration
via your spread.conf file.  Backwards compatibility is preserved by
keeping the #defines around and making them the default values for
each configuration parameter.

Use case: Your Spread daemon's runtime directory must be relocatable
at runtime.  Different installations of Spread will have different
directory structure requirements.  You may wish to run multiple
instances of the Spread daemon on different ports as root.  Etc.

Use case: The user and/or group your Spread daemon should run as at
runtime is not known at compile-time.  This situation occurs often
when those installing software which uses Spread aren't the same
people as those who built the daemon.

In addition to the new features noted above, this patch also improves
the error handling of the chroot block from the main() function of
spread.c.  This patch is against CVS HEAD of the spread/daemon/ module
from Tue Aug 27, 2002.

Index: config_gram.l
===================================================================
RCS file: /storage/cvsroot/spread/daemon/config_gram.l,v
retrieving revision 1.2
diff -u -r1.2 config_gram.l
--- config_gram.l	27 Aug 2002 01:10:52 -0000	1.2
+++ config_gram.l	27 Aug 2002 20:41:15 -0000
@@ -77,6 +77,9 @@
 DebugFlags                      { return DEBUGFLAGS; }
 DangerousMonitor                { return DANGEROUSMONITOR; }
 SocketPortReuse                 { return SOCKETPORTREUSE; }
+RuntimeDir                      { return RUNTIMEDIR; }
+DaemonUser                      { return SPUSER; }
+DaemonGroup                     { return SPGROUP; }
 RequiredAuthMethods             { return REQUIREDAUTHMETHODS; }
 AllowedAuthMethods              { return ALLOWEDAUTHMETHODS; }
 AccessControlPolicy             { return ACCESSCONTROLPOLICY; }
Index: config_parse.y
===================================================================
RCS file: /storage/cvsroot/spread/daemon/config_parse.y,v
retrieving revision 1.2
diff -u -r1.2 config_parse.y
--- config_parse.y	27 Aug 2002 01:10:52 -0000	1.2
+++ config_parse.y	27 Aug 2002 20:41:16 -0000
@@ -187,7 +187,7 @@
 %token DDEBUG DEXIT DPRINT DDATA_LINK DNETWORK DPROTOCOL DSESSION
 %token DCONF DMEMB DFLOW_CONTROL DSTATUS DEVENTS DGROUPS DMEMORY
 %token DSKIPLIST DACM DALL DNONE
-%token DANGEROUSMONITOR SOCKETPORTREUSE ALLOWEDAUTHMETHODS REQUIREDAUTHMETHODS ACCESSCONTROLPOLICY
+%token DANGEROUSMONITOR SOCKETPORTREUSE RUNTIMEDIR SPUSER SPGROUP ALLOWEDAUTHMETHODS REQUIREDAUTHMETHODS ACCESSCONTROLPOLICY
 %token SP_BOOL LINKPROTOCOL PHOP PTCPHOP
 %token IMONITOR ICLIENT IDAEMON
 %token ROUTEMATRIX LINKCOST
@@ -290,6 +290,18 @@
                                 state = port_reuse_auto;
                             }
                             Conf_set_port_reuse_type(state);
+                        }
+                |       RUNTIMEDIR EQUALS STRING
+                        {
+                            Conf_set_runtime_dir($3.string);
+                        }
+                |       SPUSER EQUALS STRING
+                        {
+                            Conf_set_user($3.string);
+                        }
+                |       SPGROUP EQUALS STRING
+                        {
+                            Conf_set_group($3.string);
                         }
                 |       ALLOWEDAUTHMETHODS EQUALS STRING
                         {
Index: configuration.c
===================================================================
RCS file: /storage/cvsroot/spread/daemon/configuration.c,v
retrieving revision 1.3
diff -u -r1.3 configuration.c
--- configuration.c	27 Aug 2002 01:10:52 -0000	1.3
+++ configuration.c	27 Aug 2002 20:41:16 -0000
@@ -68,6 +68,7 @@
 #endif	/* ARCH_PC_WIN95 */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h> 
 #include <assert.h>
 
@@ -78,6 +79,7 @@
 #undef  ext_conf_body
 
 #include "alarm.h"
+#include "spread_params.h"
 
 static	proc		My;
 
@@ -89,6 +91,12 @@
 
 static  port_reuse SocketPortReuse = port_reuse_auto;
 
+static  char    *RuntimeDir = NULL;
+
+static	char	*User = NULL;
+
+static	char	*Group = NULL;
+
 static  int     Link_Protocol;
 
 int		Conf_init( char *file_name, char *my_name )
@@ -546,4 +554,56 @@
                 return;
         }
         SocketPortReuse = state;
+}
+
+static void set_param_if_valid(char **param, char *value, char *description)
+{
+        if (value != NULL && *value != '\0')
+        {
+                int len = strlen(value);
+                char *buf = malloc(len + 1);
+                if (buf == NULL)
+                {
+                        Alarm(EXIT, "Spread: Out of memory");
+                }
+                strncpy(buf, value, len);
+                buf[len] = '\0';
+
+                *param = buf;
+                Alarm(PRINT, "Set %s to '%s'\n", description, value);
+        }
+        else
+        {
+                Alarm(DEBUG, "Ignored invalid %s\n", description);
+        }
+}
+
+char    *Conf_get_runtime_dir(void)
+{
+        return (RuntimeDir != NULL ? RuntimeDir : SP_RUNTIME_DIR);
+}
+
+void    Conf_set_runtime_dir(char *dir)
+{
+        set_param_if_valid(&RuntimeDir, dir, "runtime directory");
+}
+
+char    *Conf_get_user(void)
+{
+        return (User != NULL ? User : SP_USER);
+}
+
+void    Conf_set_user(char *user)
+{
+        set_param_if_valid(&User, user, "user name");
+}
+
+char    *Conf_get_group(void)
+{
+        return (Group != NULL ? Group : SP_GROUP);
+}
+
+void    Conf_set_group(char *group)
+{
+        set_param_if_valid(&Group, group, "group name");
 }
Index: configuration.h
===================================================================
RCS file: /storage/cvsroot/spread/daemon/configuration.h,v
retrieving revision 1.2
diff -u -r1.2 configuration.h
--- configuration.h	27 Aug 2002 01:10:52 -0000	1.2
+++ configuration.h	27 Aug 2002 20:41:16 -0000
@@ -104,6 +104,12 @@
 void            Conf_set_dangerous_monitor_state(bool new_state);
 port_reuse      Conf_get_port_reuse_type(void);
 void            Conf_set_port_reuse_type(port_reuse state);
+char            *Conf_get_runtime_dir(void);
+void            Conf_set_runtime_dir(char *dir);
+char            *Conf_get_user(void);
+void            Conf_set_user(char *dir);
+char            *Conf_get_group(void);
+void            Conf_set_group(char *dir);
 int             Conf_get_link_protocol(void);
 void            Conf_set_link_protocol(int protocol);
 
Index: sample.spread.conf
===================================================================
RCS file: /storage/cvsroot/spread/daemon/sample.spread.conf,v
retrieving revision 1.3
diff -u -r1.3 sample.spread.conf
--- sample.spread.conf	27 Aug 2002 01:10:52 -0000	1.3
+++ sample.spread.conf	27 Aug 2002 20:41:17 -0000
@@ -86,6 +86,20 @@
 
 #SocketPortReuse = AUTO
 
+#Sets the runtime directory used when the Spread daemon is run as root
+# as the directory to chroot to.  Defaults to the value of the
+# compile-time preprocessor define SP_RUNTIME_DIR, which is generally
+# "/var/run/spread".
+
+#RuntimeDir = /var/run/spread
+
+#Sets the unix user that the Spread daemon runs as (when launched as
+# the "root" user).  Not effective on # a Windows system.  Defaults to
+# the user and group "spread".
+
+#DaemonUser = spread
+#DaemonGroup = spread
+
 #Set the list of authentication methods that the daemon will allow
 # and those which are required in all cases.
 # All of the methods listed in "RequiredAuthMethods" will be checked,
Index: spread.c
===================================================================
RCS file: /storage/cvsroot/spread/daemon/spread.c,v
retrieving revision 1.9
diff -u -r1.9 spread.c
--- spread.c	2 Apr 2002 08:50:26 -0000	1.9
+++ spread.c	27 Aug 2002 20:41:17 -0000
@@ -61,6 +61,7 @@
 static	char		Config_file[80];
 static	int		Log;
 
+static	void	Invalid_privilege_decrease(char *user, char *group);
 static	void	Usage(int argc, char *argv[]);
 
 /* auth-null.c: */
@@ -160,19 +161,24 @@
 
 	/* Yupp, we're paranoid */
  
-	if (geteuid()) {
+	if (geteuid() != (uid_t) 0) {
                 Alarm( PRINT, "Spread: not running as root, won't chroot\n" );
 	}
-	else if ( (grp = getgrnam(SP_GROUP)) == NULL
-                  || (pwd = getpwnam(SP_USER)) == NULL
-                  || chdir(SP_RUNTIME_DIR) < 0
-                  || chroot(SP_RUNTIME_DIR) < 0
-                  || setgroups(0, 0) < 0
+	else if ( (grp = getgrnam(Conf_get_group())) == NULL
+                  || (pwd = getpwnam(Conf_get_user())) == NULL ) {
+            Invalid_privilege_decrease(Conf_get_user(), Conf_get_group());
+	}
+	else if (chdir(Conf_get_runtime_dir()) < 0
+                  || chroot(Conf_get_runtime_dir()) < 0 ) {
+            Alarm( PRINT, "Spread: FAILED chroot to '%s'\n",
+                   Conf_get_runtime_dir() );
+            Alarm( EXIT, "Spread: FAILED chroot to '%s'\n",
+                   Conf_get_runtime_dir() );
+	}
+	else if ( setgroups(0, 0) < 0
                   || setgid(grp->gr_gid) < 0
-                  || setuid(pwd->pw_uid) < 0) 
-        {
-                Alarm( PRINT, "Spread: FAILED -- chroot or privledge drop -- check spread_params.h for directory and user/group names\n");
-                Alarm( EXIT, "Spread: FAILED to give up privileges or chroot\n");
+                  || setuid(pwd->pw_uid) < 0) {
+            Invalid_privilege_decrease(Conf_get_user(), Conf_get_group());
 	} else {
                 Alarm( PRINT, "Spread: setugid and chroot successeful\n" );
 	}
@@ -190,6 +196,16 @@
                "\t[-l y/n]          : print log",
                "\t[-n <proc name>]  : force computer name",
                "\t[-c <file name>]  : specify configuration file" );
+}
+
+static	void	Invalid_privilege_decrease(char *user, char *group)
+{
+        Alarm( PRINT, "Spread: FAILED privilege drop to user/group "
+               "'%s/%s' (defined in spread.conf or spread_params.h)\n",
+               user, group );
+        Alarm( EXIT, "Spread: FAILED privilege drop to user/group "
+               "'%s/%s' (defined in spread.conf or spread_params.h)\n",
+               user, group );
 }
 
 static	void	Usage(int argc, char *argv[])

-- 

Daniel Rall <dlr at finemaltcoding.com>




More information about the Spread-users mailing list