lldpd: add option to disable privilege separation
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
Helpful to disable when debugging lldpd crashes (when working on it).
When privilege separation is on, some crashes are stack-traced to
some privilege separation code.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 44967

package/network/services/lldpd/Config.in
package/network/services/lldpd/Makefile
package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch [new file with mode: 0644]

index a416490..448506d 100644 (file)
@@ -1,6 +1,11 @@
 menu "Configuration"
        depends on PACKAGE_lldpd
 
+config LLDPD_WITH_PRIVSEP
+       bool
+       default y
+       prompt "Enable privilege separation (run lldpd with a chrooted 'lldp' user)"
+
 config LLDPD_WITH_CDP
        bool
        default y
index ff367f1..d80840e 100644 (file)
@@ -85,9 +85,11 @@ define Package/lldpd/conffiles
 endef
 
 CONFIGURE_ARGS += \
+       $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
        --with-privsep-user=lldp \
        --with-privsep-group=lldp \
        --with-privsep-chroot=/var/run/lldp \
+       ,--disable-privsep) \
        --with-readline=no \
        --with-embedded-libevent=no \
        $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
new file mode 100644 (file)
index 0000000..907c21b
--- /dev/null
@@ -0,0 +1,73 @@
+From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Thu, 12 Feb 2015 08:07:43 +0100
+Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
+
+Closes #95
+---
+ src/daemon/lldpd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index f868fc7..6a3a160 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       int receiveonly = 0;
+       int ctl;
++#ifdef ENABLE_PRIVSEP
+       /* Non privileged user */
+       struct passwd *user;
+       struct group *group;
+       uid_t uid;
+       gid_t gid;
++#endif
+       saved_argv = argv;
+@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       log_debug("main", "lldpd starting...");
+       /* Grab uid and gid to use for priv sep */
++#ifdef ENABLE_PRIVSEP
+       if ((user = getpwnam(PRIVSEP_USER)) == NULL)
+               fatal("main", "no " PRIVSEP_USER " user for privilege separation");
+       uid = user->pw_uid;
+       if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
+               fatal("main", "no " PRIVSEP_GROUP " group for privilege separation");
+       gid = group->gr_gid;
++#endif
+       /* Create and setup socket */
+       int retry = 1;
+@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+               log_warn("main", "unable to create control socket");
+               fatalx("giving up");
+       }
++#ifdef ENABLE_PRIVSEP
+       if (chown(ctlname, uid, gid) == -1)
+               log_warn("main", "unable to chown control socket");
+       if (chmod(ctlname,
+               S_IRUSR | S_IWUSR | S_IXUSR |
+               S_IRGRP | S_IWGRP | S_IXGRP) == -1)
+               log_warn("main", "unable to chmod control socket");
++#endif
+       /* Disable SIGPIPE */
+       signal(SIGPIPE, SIG_IGN);
+@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       }
+       log_debug("main", "initialize privilege separation");
++#ifdef ENABLE_PRIVSEP
+       priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
++#else
++      priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
++#endif
+       /* Initialization of global configuration */
+       if ((cfg = (struct lldpd *)
+-- 
+2.1.2
+