diff options
-rw-r--r-- | pies/limits.c | 31 | ||||
-rw-r--r-- | pies/pies.c | 30 | ||||
-rw-r--r-- | pies/pies.h | 2 | ||||
-rw-r--r-- | pies/progman.c | 10 |
4 files changed, 59 insertions, 14 deletions
diff --git a/pies/limits.c b/pies/limits.c index 6c0d48e..90d6459 100644 --- a/pies/limits.c +++ b/pies/limits.c @@ -51,7 +51,7 @@ do_set_limit (int rlimit, rlim_t limit) struct rlimit rlim; MU_DEBUG2 (pies_debug, MU_DEBUG_TRACE1, - "Setting limit %d to %lu", rlimit, (unsigned long) limit); + "Setting limit %d to %lu\n", rlimit, (unsigned long) limit); rlim.rlim_cur = limit; rlim.rlim_max = limit; @@ -67,7 +67,7 @@ do_set_limit (int rlimit, rlim_t limit) static int set_prio (int prio) { - MU_DEBUG1 (pies_debug, MU_DEBUG_TRACE2, "Setting priority to %d", prio); + MU_DEBUG1 (pies_debug, MU_DEBUG_TRACE2, "Setting priority to %d\n", prio); if (setpriority (PRIO_PROCESS, 0, prio)) { mu_diag_output (MU_DIAG_NOTICE, _("error setting priority: %s"), @@ -93,7 +93,7 @@ set_limits (const char *name, struct limits_rec *lrec) if (!lrec) return 0; - MU_DEBUG1 (pies_debug, MU_DEBUG_TRACE2, "Setting limits for %s", name); + MU_DEBUG1 (pies_debug, MU_DEBUG_TRACE2, "Setting limits for %s\n", name); #if defined(RLIMIT_AS) if (lrec->set & SET_LIMIT_AS) @@ -145,12 +145,20 @@ set_limits (const char *name, struct limits_rec *lrec) int getlimit (char **ptr, rlim_t *rlim, int mul) { - unsigned long val; - - val = strtoul (*ptr, ptr, 10); - if (val == 0) - return 1; - *rlim = val * mul; + if (**ptr == '-') + { + *rlim = RLIM_INFINITY; + ++*ptr; + } + else + { + unsigned long val; + + val = strtoul (*ptr, ptr, 10); + if (val == 0) + return 1; + *rlim = val * mul; + } return 0; } @@ -159,9 +167,10 @@ getlimit (char **ptr, rlim_t *rlim, int mul) The string consists of _commands_, optionally separated by any amount of whitespace. A command has the following form: - [AaCcDdFfMmNnRrSsTtUuLlPp][0-9]+ + [AaCcDdFfMmNnRrSsTtUuLlPp](-|[0-9]+) - i.e. a letter followed by number, and is interpreted as follows: + i.e. a letter followed by number or a dash. The latters stands for + 'unlimited'. Commands are interpreted as follows: Command ulimit setrlimit() The limit it sets option arg diff --git a/pies/pies.c b/pies/pies.c index b1d4940..9fc7a81 100644 --- a/pies/pies.c +++ b/pies/pies.c @@ -629,6 +629,9 @@ struct mu_cfg_param component_cfg_param[] = { { "group", mu_cfg_callback, NULL, mu_offsetof (struct component, privs.groups), _cb_group, N_("Retain supplementary group.") }, + { "allgroups", mu_cfg_bool, NULL, + mu_offsetof (struct component, privs.allgroups), NULL, + N_("Retain all supplementary groups of which user is a member.") }, { "umask", mu_cfg_callback, NULL, mu_offsetof (struct component, umask), _cb_umask, N_("Force this umask."), @@ -780,6 +783,8 @@ struct mu_cfg_param pies_cfg_param[] = { N_("Run with this user privileges.") }, { "group", mu_cfg_callback, &pies_user.groups, 0, _cb_group, N_("Retain supplementary group.") }, + { "allgroups", mu_cfg_bool, &pies_user.allgroups, 0, NULL, + N_("Retain all supplementary groups of which user is a member.") }, { "umask", mu_cfg_callback, &pies_umask, 0, _cb_umask, N_("Force this umask."), N_("arg: number") }, @@ -910,6 +915,29 @@ version (FILE *stream, struct argp_state *state) } +static void +pies_add_allgroups (mu_list_t *pgrouplist, const char *user) +{ + struct group *gr; + mu_list_t list; + if (!*pgrouplist) + mu_list_create (pgrouplist); + list = *pgrouplist; + setgrent (); + while (gr = getgrent ()) + { + char **p; + for (p = gr->gr_mem; *p; p++) + if (strcmp (*p, user) == 0) + { + /* FIXME: Avoid duplicating gids */ + mu_list_append (list, (void*)gr->gr_gid); + break; + } + } + endgrent (); +} + void priv_setup (struct pies_privs_data *pr) { @@ -921,6 +949,8 @@ priv_setup (struct pies_privs_data *pr) mu_error (_("No such user: %s"), pr->user); exit (EX_CONFIG); } + if (pr->allgroups) + pies_add_allgroups (&pr->groups, pr->user); if (pw && switch_to_privs (pw->pw_uid, pw->pw_gid, pr->groups)) exit (EX_SOFTWARE); } diff --git a/pies/pies.h b/pies/pies.h index 4d57fd7..4930de4 100644 --- a/pies/pies.h +++ b/pies/pies.h @@ -60,6 +60,7 @@ struct pies_privs_data { char *user; mu_list_t groups; + int allgroups; }; #define MAX_RETURN_CODE 127 @@ -138,6 +139,7 @@ void progman_cleanup (int expect_term); void progman_stop_component (const char *name); void progman_dump_stats (const char *filename); int progman_accept (int socket); +int progman_build_depmap (void); void log_setup (int want_stderr); void signal_setup (RETSIGTYPE (*sf)(int)); diff --git a/pies/progman.c b/pies/progman.c index 9d37e67..c93ed9c 100644 --- a/pies/progman.c +++ b/pies/progman.c @@ -812,9 +812,10 @@ progman_accept (int socket) return 0; } -static void -build_depmap () +int +progman_build_depmap () { + int rc = 0; unsigned i; struct prog *prog; pies_depmap_t dp; @@ -832,6 +833,7 @@ build_depmap () mu_error (_("component %s depends on %s, " "which is not declared"), prog->tag, prog->depend[i]); + rc++; } else depmap_set (depmap, prog->idx, dep->idx); @@ -845,8 +847,10 @@ build_depmap () prog = prog_lookup_by_idx (i); mu_error (_("component %s depends on itself"), prog->tag); prog->v.p.status = status_disabled; + rc++; } free (dp); + return rc; } void @@ -854,7 +858,7 @@ progman_start () { struct prog *prog; - build_depmap (); + progman_build_depmap (); MU_DEBUG (pies_debug, MU_DEBUG_TRACE1, "Starting components\n"); for (prog = proghead; prog; prog = prog->next) |