diff options
author | Wayne Davison <wayned@samba.org> | 2017-09-04 14:20:16 -0700 |
---|---|---|
committer | Wayne Davison <wayned@samba.org> | 2017-09-04 14:20:16 -0700 |
commit | 881addc9e14a584a461929801968d9824281fab2 (patch) | |
tree | 930a03ee78dad7f81ddb82386f0e3f916a130efe /clientserver.c | |
parent | b7799aaefe58c2e222224c83b02c3d763b01ef93 (diff) | |
download | rsync-881addc9e14a584a461929801968d9824281fab2.tar.gz |
Add "daemon chroot|uid|gid" parameters.
This allows the daemon to run chrooted as any uid+gid you like
(prior to the transfer possibly changing the chroot and/or the
uid+gid further). Based on the patch in #12817.
Diffstat (limited to 'clientserver.c')
-rw-r--r-- | clientserver.c | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/clientserver.c b/clientserver.c index 91aee270..7c79e90a 100644 --- a/clientserver.c +++ b/clientserver.c @@ -426,7 +426,7 @@ static int read_arg_from_pipe(int fd, char *buf, int limit) static int path_failure(int f_out, const char *dir, BOOL was_chdir) { if (was_chdir) - rsyserr(FLOG, errno, "chdir %s failed\n", dir); + rsyserr(FLOG, errno, "chdir %s failed", dir); else rprintf(FLOG, "normalize_path(%s) failed\n", dir); io_printf(f_out, "@ERROR: chdir failed\n"); @@ -794,7 +794,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char if (!change_dir(module_chdir, CD_NORMAL)) return path_failure(f_out, module_chdir, True); - if (module_dirlen || !use_chroot) + if (module_dirlen || (!use_chroot && !*lp_daemon_chroot())) sanitize_paths = 1; if ((munge_symlinks = lp_munge_symlinks(i)) < 0) @@ -1039,6 +1039,7 @@ int start_daemon(int f_in, int f_out) { char line[1024]; const char *addr, *host; + char *p; int i; io_set_sock_fds(f_in, f_out); @@ -1050,6 +1051,39 @@ int start_daemon(int f_in, int f_out) if (!load_config(0)) exit_cleanup(RERR_SYNTAX); + p = lp_daemon_chroot(); + if (*p) { + log_init(0); /* Make use we've initialized syslog before chrooting. */ + if (chroot(p) < 0 || chdir("/") < 0) { + rsyserr(FLOG, errno, "daemon chroot %s failed", p); + return -1; + } + } + p = lp_daemon_gid(); + if (*p) { + gid_t gid; + if (!group_to_gid(p, &gid, True)) { + rprintf(FLOG, "Invalid daemon gid: %s\n", p); + return -1; + } + if (setgid(gid) < 0) { + rsyserr(FLOG, errno, "Unable to set group to daemon gid %ld", (long)gid); + return -1; + } + } + p = lp_daemon_uid(); + if (*p) { + uid_t uid; + if (!user_to_uid(p, &uid, True)) { + rprintf(FLOG, "Invalid daemon uid: %s\n", p); + return -1; + } + if (setuid(uid) < 0) { + rsyserr(FLOG, errno, "Unable to set user to daemon uid %ld", (long)uid); + return -1; + } + } + addr = client_addr(f_in); host = lp_reverse_lookup(-1) ? client_name(f_in) : undetermined_hostname; rprintf(FLOG, "connect from %s (%s)\n", host, addr); |