2 commits - kolabd/__init__.py kolabd/kolabd.sysconfig kolabd/kolabd.systemd
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Thu May 17 11:12:29 CEST 2012
kolabd/__init__.py | 118 +++++++++++++++++++++++++++++++++++++++++++-----
kolabd/kolabd.sysconfig | 3 -
kolabd/kolabd.systemd | 2
3 files changed, 111 insertions(+), 12 deletions(-)
New commits:
commit dd014204726e24b9383939a3c362c545b4c98067
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Thu May 17 10:09:43 2012 +0100
Make as sure as possible, kolabd does not run with any non-kolab privileges
diff --git a/kolabd/__init__.py b/kolabd/__init__.py
index 2d3f94f..12b2615 100644
--- a/kolabd/__init__.py
+++ b/kolabd/__init__.py
@@ -20,7 +20,9 @@
The Kolab daemon.
"""
+import grp
import os
+import pwd
import shutil
import sys
import time
@@ -45,17 +47,42 @@ class KolabDaemon(object):
daemon_group = conf.add_cli_parser_option_group(_("Daemon Options"))
- daemon_group.add_option( "--fork",
- dest = "fork_mode",
- action = "store_true",
- default = False,
- help = _("Fork to the background."))
-
- daemon_group.add_option( "-p", "--pid-file",
- dest = "pidfile",
- action = "store",
- default = "/var/run/kolabd/kolabd.pid",
- help = _("Path to the PID file to use."))
+ daemon_group.add_option(
+ "--fork",
+ dest = "fork_mode",
+ action = "store_true",
+ default = False,
+ help = _("Fork to the background.")
+ )
+
+ daemon_group.add_option(
+ "-p",
+ "--pid-file",
+ dest = "pidfile",
+ action = "store",
+ default = "/var/run/kolabd/kolabd.pid",
+ help = _("Path to the PID file to use.")
+ )
+
+ daemon_group.add_option(
+ "-u",
+ "--user",
+ dest = "process_username",
+ action = "store",
+ default = "kolab",
+ help = _("Run as user USERNAME"),
+ metavar = "USERNAME"
+ )
+
+ daemon_group.add_option(
+ "-g",
+ "--group",
+ dest = "process_groupname",
+ action = "store",
+ default = "kolab",
+ help = _("Run as group GROUPNAME"),
+ metavar = "GROUPNAME"
+ )
conf.finalize_conf()
@@ -65,6 +92,75 @@ class KolabDaemon(object):
exitcode = 0
try:
+ (ruid, euid, suid) = os.getresuid()
+ (rgid, egid, sgid) = os.getresgid()
+
+ if ruid == 0:
+ # Means we can setreuid() / setregid() / setgroups()
+ if egid == 0:
+ # Get group entry details
+ try:
+ (
+ group_name,
+ group_password,
+ group_gid,
+ group_members
+ ) = grp.getgrnam(conf.process_groupname)
+
+ except KeyError:
+ print >> sys.stderr, _("Group %s does not exist") % (
+ conf.process_groupname
+ )
+
+ sys.exit(1)
+
+ # Set real and effective group if not the same as current.
+ if not group_gid == egid:
+ log.debug(
+ _("Switching real and effective group id to %d") % (
+ group_gid
+ ),
+ level=8
+ )
+
+ os.setregid(group_gid, group_gid)
+
+ if euid == 0:
+ # Means we haven't switched yet.
+ try:
+ (
+ user_name,
+ user_password,
+ user_uid,
+ user_gid,
+ user_gecos,
+ user_homedir,
+ user_shell
+ ) = pwd.getpwnam(conf.process_username)
+
+ except KeyError:
+ print >> sys.stderr, _("User %s does not exist") % (
+ conf.process_username
+ )
+
+ sys.exit(1)
+
+
+ # Set real and effective user if not the same as current.
+ if not user_uid == euid:
+ log.debug(
+ _("Switching real and effective user id to %d") % (
+ user_uid
+ ),
+ level=8
+ )
+
+ os.setreuid(user_uid, user_uid)
+
+ except:
+ log.error(_("Could not change real and effective uid and/or gid"))
+
+ try:
pid = 1
if conf.fork_mode:
pid = os.fork()
commit 327d454e7ba88b8a0b50fac3be088f6fed7ddc26
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Thu May 17 10:04:29 2012 +0100
Set kolabd to run as kolab:kolab (systemd) or with daemon options --user kolab
diff --git a/kolabd/kolabd.sysconfig b/kolabd/kolabd.sysconfig
index 0705f32..93d27b5 100644
--- a/kolabd/kolabd.sysconfig
+++ b/kolabd/kolabd.sysconfig
@@ -2,4 +2,5 @@
#
# See kolabd --help for more flags.
#
-FLAGS="--fork -l warning"
\ No newline at end of file
+FLAGS="--fork -l warning"
+DAEMONOPTS="--user kolab"
diff --git a/kolabd/kolabd.systemd b/kolabd/kolabd.systemd
index 80305f8..92db05e 100644
--- a/kolabd/kolabd.systemd
+++ b/kolabd/kolabd.systemd
@@ -5,6 +5,8 @@ After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/kolabd/kolabd.pid
+User=kolab
+Group=kolab
EnvironmentFile=/etc/sysconfig/kolabd
ExecStart=/usr/sbin/kolabd $FLAGS
ExecReload=/bin/kill -HUP $MAINPID
More information about the commits
mailing list