KumiSystems/openwrtv4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

lldpd: add option to disable privilege separation

Browse source 
Helpful to disable when debugging lldpd crashes (when working on it).
When privilege separation is on, some crashes are stack-traced to
some privilege separation code.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 44967
This commit is contained in:
Jo-Philipp Wich 2015-03-24 10:13:08 +00:00
parent 02e2548b84
commit 437d710546
3 changed files with 80 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
package/network/services/lldpd/Config.in
View file

@ -1,6 +1,11 @@
menu "Configuration" menu "Configuration"
depends on PACKAGE_lldpd depends on PACKAGE_lldpd
config LLDPD_WITH_PRIVSEP
bool
default y
prompt "Enable privilege separation (run lldpd with a chrooted 'lldp' user)"
config LLDPD_WITH_CDP config LLDPD_WITH_CDP
bool bool
default y default y

2
package/network/services/lldpd/Makefile
View file

@ -85,9 +85,11 @@ define Package/lldpd/conffiles
endef endef
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
$(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
--with-privsep-user=lldp \ --with-privsep-user=lldp \
--with-privsep-group=lldp \ --with-privsep-group=lldp \
--with-privsep-chroot=/var/run/lldp \ --with-privsep-chroot=/var/run/lldp \
,--disable-privsep) \
--with-readline=no \ --with-readline=no \
--with-embedded-libevent=no \ --with-embedded-libevent=no \
$(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \ $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \

73
package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch Normal file
View file

@ -0,0 +1,73 @@
From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.im>
Date: Thu, 12 Feb 2015 08:07:43 +0100
Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
Closes #95
---
src/daemon/lldpd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
index f868fc7..6a3a160 100644
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
int receiveonly = 0;
int ctl;
+#ifdef ENABLE_PRIVSEP
/* Non privileged user */
struct passwd *user;
struct group *group;
uid_t uid;
gid_t gid;
+#endif
saved_argv = argv;
@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
log_debug("main", "lldpd starting...");
/* Grab uid and gid to use for priv sep */
+#ifdef ENABLE_PRIVSEP
if ((user = getpwnam(PRIVSEP_USER)) == NULL)
fatal("main", "no " PRIVSEP_USER " user for privilege separation");
uid = user->pw_uid;
if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
fatal("main", "no " PRIVSEP_GROUP " group for privilege separation");
gid = group->gr_gid;
+#endif
/* Create and setup socket */
int retry = 1;
@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
log_warn("main", "unable to create control socket");
fatalx("giving up");
}
+#ifdef ENABLE_PRIVSEP
if (chown(ctlname, uid, gid) == -1)
log_warn("main", "unable to chown control socket");
if (chmod(ctlname,
S_IRUSR | S_IWUSR | S_IXUSR |
S_IRGRP | S_IWGRP | S_IXGRP) == -1)
log_warn("main", "unable to chmod control socket");
+#endif
/* Disable SIGPIPE */
signal(SIGPIPE, SIG_IGN);
@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
}
log_debug("main", "initialize privilege separation");
+#ifdef ENABLE_PRIVSEP
priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
+#else
+ priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
+#endif
/* Initialization of global configuration */
if ((cfg = (struct lldpd *)
--
2.1.2