Switch to non-privileged UID/GID before startup.

* src/userprivs.c: New file.
* src/Makefile.am (wydawca_SOURCES): Add userprivs.c
* src/config.c (cb_access_method_params): Add missing gl_list_iterator_free.
(cb_user, cb_supp_groups): New callbacks.
(wydawca_kw): New keywords: user and group.

* src/wydawca.c (wydawca_uid, wydawca_gid)
(wydawca_supp_groupc, wydawca_supp_groups): New variables.
(wydawca_set_uid, wydawca_set_gid, wydawca_set_privs)
(wydawca_set_triplet_privs, wydawca_set_root_privs): Remove.
(main): --dry-run implies --cron.
Switch to non-privileged UID/GID before startup.
* src/wydawca.h (wydawca_uid, wydawca_gid)
(wydawca_supp_groupc, wydawca_supp_groups): New declarations.

* src/mail.c (do_notify): Duplicate admin_address, it gets freed in do_notify.

* src/directive.c, src/diskio.c, src/lock.c, src/triplet.c: Update.

10 files changed, 260 insertions, 125 deletions

diff --git a/src/Makefile.am b/src/Makefile.am
index c91669e..993ce0d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -38,2 +38,3 @@ wydawca_SOURCES=\
  triplet.c\
+ userprivs.c\
  verify.c\
diff --git a/src/config.c b/src/config.c
index b1f339f..b6e2533 100644
--- a/src/config.c
+++ b/src/config.c
@@ -980,2 +980,3 @@ cb_access_method_params (enum gconf_callback_command cmd,
         }
+      gl_list_iterator_free (&itr);
       meth->parmv[i] = NULL;
@@ -1226,2 +1227,78 @@ cb_spool (enum gconf_callback_command cmd,
 
+static int
+cb_user (enum gconf_callback_command cmd,
+         gconf_locus_t *locus,
+         void *varptr,
+         gconf_value_t *value,
+         void *cb_data)
+{
+  int rc;
+  struct passwd *pw;
+  
+  if (assert_string_arg (locus, cmd, value))
+    return 1;
+
+  pw = getpwnam (value->v.string);
+  if (!pw)
+    {
+      gconf_error (locus, 0, _("no such user: %s"), value->v.string);
+      return 1;
+    }
+  
+  wydawca_uid = pw->pw_uid;
+  wydawca_gid = pw->pw_gid;
+  return 0;
+}
+
+static int
+cb_supp_groups (enum gconf_callback_command cmd,
+                gconf_locus_t *locus,
+                void *varptr,
+                gconf_value_t *value,
+                void *cb_data)
+{
+  if (cmd != gconf_callback_set_value)
+    {
+      gconf_error (locus, 0, _("Unexpected block statement"));
+      return 1;
+    }
+  if (!value || value->type != GCONF_TYPE_LIST)
+    {
+      gconf_error (locus, 0, _("expected list value"));
+      return 1;
+    }
+
+  wydawca_supp_groupc = gl_list_size (value->v.list);
+  if (wydawca_supp_groupc == 0)
+    wydawca_supp_groups = NULL;
+  else
+    {
+      int i;
+      gl_list_iterator_t itr;
+      const void *p;
+      
+      wydawca_supp_groups = xcalloc (wydawca_supp_groupc,
+                                     sizeof (wydawca_supp_groups[0]));
+      itr = gl_list_iterator (value->v.list);
+      for (i = 0; gl_list_iterator_next (&itr, &p, NULL); i++)
+        {
+          const gconf_value_t *vp = p;
+          struct group *grp;
+          
+          if (assert_string_arg (locus, cmd, vp))
+            break;
+          grp = getgrnam (vp->v.string);
+          if (!grp)
+            {
+              gconf_error (locus, 0, _("no such group: %s"), value->v.string);
+              break;
+            }
+          wydawca_supp_groups[i] = grp->gr_gid;
+        }
+      gl_list_iterator_free (&itr);
+    }
+  return 0;
+}
+              
+
 
@@ -1239,2 +1316,7 @@ static struct gconf_keyword wydawca_kw[] = {
 
+  { "user", N_("name"), N_("Run with UID and GID of this user"),
+    gconf_type_string, NULL, 0, cb_user },
+  { "group", NULL, N_("Retain these supplementary groups"),
+    gconf_type_string|GCONF_LIST, NULL, 0, cb_supp_groups },
+  
   { "locking", NULL, N_("Enable or disable locking"),
diff --git a/src/directive.c b/src/directive.c
index 2915fee..416095f 100644
--- a/src/directive.c
+++ b/src/directive.c
@@ -339,5 +339,3 @@ process_directives (struct file_triplet *trp, const struct spool *spool)
         case filename_dir:
-          wydawca_set_root_privs ();
           rc = verify_detached_signature (trp, spool);
-          wydawca_set_triplet_privs (trp);
           if (rc == 0)
diff --git a/src/diskio.c b/src/diskio.c
index fbd1050..35ba71e 100644
--- a/src/diskio.c
+++ b/src/diskio.c
@@ -60,5 +60,5 @@ concat_dir (const char *base, const char *name, size_t *pbaselen)
 /* Create the directory DIR, eventually creating all intermediate directories
-   starting from DIR + BASELEN, with owner UID and GID. */
+   starting from DIR + BASELEN. */
 int
-create_hierarchy (char *dir, size_t baselen, uid_t uid, gid_t gid)
+create_hierarchy (char *dir, size_t baselen)
 {
@@ -94,3 +94,3 @@ create_hierarchy (char *dir, size_t baselen, uid_t uid, gid_t gid)
 
-  rc = create_hierarchy (dir, baselen, uid, gid);
+  rc = create_hierarchy (dir, baselen);
   if (rc == 0)
@@ -105,7 +105,2 @@ create_hierarchy (char *dir, size_t baselen, uid_t uid, gid_t gid)
         }
-      if (chown (dir, uid, gid))
-        {
-          logmsg (LOG_NOTICE, _("cannot change ownership of %s: %s"),
-                  dir, strerror (errno));
-        }
     }
@@ -118,3 +113,3 @@ create_hierarchy (char *dir, size_t baselen, uid_t uid, gid_t gid)
 char *
-create_directory (const char *base, const char *name, uid_t uid, gid_t gid)
+create_directory (const char *base, const char *name)
 {
@@ -125,7 +120,3 @@ create_directory (const char *base, const char *name, uid_t uid, gid_t gid)
     {
-      int rc;
-      wydawca_set_root_privs ();
-      rc = create_hierarchy (dir, baselen, uid, gid);
-      wydawca_set_privs (uid, gid);
-      if (rc)
+      if (create_hierarchy (dir, baselen))
         {
@@ -139,5 +130,5 @@ create_directory (const char *base, const char *name, uid_t uid, gid_t gid)
 
-/* Copy FILE to DST_FILE, creating the latter with owner UID and GID. */
+/* Copy FILE to DST_FILE. */
 int
-copy_file (const char *file, const char *dst_file, uid_t uid, gid_t gid)
+copy_file (const char *file, const char *dst_file)
 {
@@ -225,6 +216,5 @@ copy_file (const char *file, const char *dst_file, uid_t uid, gid_t gid)
 /* Move FILE to DST_FILE. If they reside on different devices, use copy_file
-   + unlink.
-   UID and GID give DST_FILE ownership. */
+   + unlink. */
 int
-do_move_file (const char *file, const char *dst_file, uid_t uid, gid_t gid)
+do_move_file (const char *file, const char *dst_file)
 {
@@ -236,3 +226,3 @@ do_move_file (const char *file, const char *dst_file, uid_t uid, gid_t gid)
         {
-          if (copy_file (file, dst_file, uid, gid))
+          if (copy_file (file, dst_file))
             {
@@ -301,3 +291,2 @@ tar_append_file (const char *archive, const char *file)
      ARCHIVE         - Archive descriptor.
-     UID, GID        - Ownership
      RELDIR          - Directory part of FILE
@@ -307,3 +296,3 @@ int
 backup_file (const char *dst_file, const char *dst_dir, const char *file,
-             const struct archive_descr *archive, uid_t uid, gid_t gid,
+             const struct archive_descr *archive, 
              const char *reldir)
@@ -315,5 +304,5 @@ backup_file (const char *dst_file, const char *dst_dir, const char *file,
   if (archive->name[0] == '/')
-    adir = create_directory (archive->name, reldir, uid, gid);
+    adir = create_directory (archive->name, reldir);
   else
-    adir = create_directory (dst_dir, archive->name, uid, gid);
+    adir = create_directory (dst_dir, archive->name);
   if (!adir)
@@ -349,3 +338,3 @@ backup_file (const char *dst_file, const char *dst_dir, const char *file,
             {
-              rc = do_move_file (file_name, archive_file_name, uid, gid);
+              rc = do_move_file (file_name, archive_file_name);
               if (rc)
@@ -368,3 +357,3 @@ backup_file (const char *dst_file, const char *dst_dir, const char *file,
     {
-      rc = do_move_file (dst_file, file_name, uid, gid);
+      rc = do_move_file (dst_file, file_name);
       if (rc)
@@ -382,3 +371,3 @@ int
 do_archive_file (const char *dst_file, const char *dst_dir, const char *file,
-                 const struct archive_descr *archive, uid_t uid, gid_t gid,
+                 const struct archive_descr *archive,
                  const char *reldir)
@@ -391,3 +380,3 @@ do_archive_file (const char *dst_file, const char *dst_dir, const char *file,
     case archive_directory:
-      return backup_file (dst_file, dst_dir, file, archive, uid, gid, reldir);
+      return backup_file (dst_file, dst_dir, file, archive, reldir);
 
@@ -417,4 +406,3 @@ dir_move_file (struct file_triplet *trp, const struct spool *spool,
   int rc = 0;
-  char *dst_dir = create_directory (spool->dest_dir, reldir,
-                                    TRIPLET_UID (trp), TRIPLET_GID (trp));
+  char *dst_dir = create_directory (spool->dest_dir, reldir);
 
@@ -430,8 +418,6 @@ dir_move_file (struct file_triplet *trp, const struct spool *spool,
     rc = do_archive_file (dst_file, dst_dir, trp->file[file_id].name,
-                          &spool->archive,
-                          TRIPLET_UID (trp), TRIPLET_GID (trp), reldir);
+                          &spool->archive, reldir);