lldpd: add option to disable privilege separation

author Jo-Philipp Wich <jow@openwrt.org>

Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)

committer Jo-Philipp Wich <jow@openwrt.org>

Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
author Jo-Philipp Wich <jow@openwrt.org>
Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
committer Jo-Philipp Wich <jow@openwrt.org>
Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in

index a416490425eab524ffadddb74e34b89b09323164..448506d0473df6e255178cf8a59e46a7799b8874 100644 (file)
--- a/package/network/services/lldpd/Config.in
+++ b/package/network/services/lldpd/Config.in
@@ -1,6 +1,11 @@
  menu "Configuration"
         depends on PACKAGE_lldpd
  
  menu "Configuration"
         depends on PACKAGE_lldpd
  
+config LLDPD_WITH_PRIVSEP
+       bool
+       default y
+       prompt "Enable privilege separation (run lldpd with a chrooted 'lldp' user)"
+
  config LLDPD_WITH_CDP
         bool
         default y
  config LLDPD_WITH_CDP
         bool
         default y
diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile

index ff367f1c3e78c3792656b6aab1bd27888e75bf01..d80840e4cb5b2d4c8546275a97505f2c109aff05 100644 (file)
--- a/package/network/services/lldpd/Makefile
+++ b/package/network/services/lldpd/Makefile
@@ -85,9 +85,11 @@ define Package/lldpd/conffiles
  endef
  
  CONFIGURE_ARGS += \
  endef
  
  CONFIGURE_ARGS += \
+       $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
         --with-privsep-user=lldp \
         --with-privsep-group=lldp \
         --with-privsep-chroot=/var/run/lldp \
         --with-privsep-user=lldp \
         --with-privsep-group=lldp \
         --with-privsep-chroot=/var/run/lldp \
+       ,--disable-privsep) \
         --with-readline=no \
         --with-embedded-libevent=no \
         $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
         --with-readline=no \
         --with-embedded-libevent=no \
         $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch

new file mode 100644 (file)

index 0000000..907c21b
--- /dev/null
+++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
@@ -0,0 +1,73 @@
+From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Thu, 12 Feb 2015 08:07:43 +0100
+Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
+
+Closes #95
+---
+ src/daemon/lldpd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index f868fc7..6a3a160 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       int receiveonly = 0;
+       int ctl;
+ 
++#ifdef ENABLE_PRIVSEP
+       /* Non privileged user */
+       struct passwd *user;
+       struct group *group;
+       uid_t uid;
+       gid_t gid;
++#endif
+ 
+       saved_argv = argv;
+ 
+@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       log_debug("main", "lldpd starting...");
+ 
+       /* Grab uid and gid to use for priv sep */
++#ifdef ENABLE_PRIVSEP
+       if ((user = getpwnam(PRIVSEP_USER)) == NULL)
+               fatal("main", "no " PRIVSEP_USER " user for privilege separation");
+       uid = user->pw_uid;
+       if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
+               fatal("main", "no " PRIVSEP_GROUP " group for privilege separation");
+       gid = group->gr_gid;
++#endif
+ 
+       /* Create and setup socket */
+       int retry = 1;
+@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+               log_warn("main", "unable to create control socket");
+               fatalx("giving up");
+       }
++#ifdef ENABLE_PRIVSEP
+       if (chown(ctlname, uid, gid) == -1)
+               log_warn("main", "unable to chown control socket");
+       if (chmod(ctlname,
+               S_IRUSR | S_IWUSR | S_IXUSR |
+               S_IRGRP | S_IWGRP | S_IXGRP) == -1)
+               log_warn("main", "unable to chmod control socket");
++#endif
+ 
+       /* Disable SIGPIPE */
+       signal(SIGPIPE, SIG_IGN);
+@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
+       }
+ 
+       log_debug("main", "initialize privilege separation");
++#ifdef ENABLE_PRIVSEP
+       priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
++#else
++      priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
++#endif
+ 
+       /* Initialization of global configuration */
+       if ((cfg = (struct lldpd *)
+-- 
+2.1.2
+
author	Jo-Philipp Wich <jow@openwrt.org>
	Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
committer	Jo-Philipp Wich <jow@openwrt.org>
	Tue, 24 Mar 2015 10:13:08 +0000 (10:13 +0000)
package/network/services/lldpd/Config.in		patch \| blob \| history
package/network/services/lldpd/Makefile		patch \| blob \| history
package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch	[new file with mode: 0644]	patch \| blob