2 commits - kolabd/__init__.py kolabd/kolabd.sysconfig kolabd/kolabd.systemd

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Thu May 17 11:12:29 CEST 2012


 kolabd/__init__.py      |  118 +++++++++++++++++++++++++++++++++++++++++++-----
 kolabd/kolabd.sysconfig |    3 -
 kolabd/kolabd.systemd   |    2 
 3 files changed, 111 insertions(+), 12 deletions(-)

New commits:
commit dd014204726e24b9383939a3c362c545b4c98067
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Thu May 17 10:09:43 2012 +0100

    Make as sure as possible, kolabd does not run with any non-kolab privileges

diff --git a/kolabd/__init__.py b/kolabd/__init__.py
index 2d3f94f..12b2615 100644
--- a/kolabd/__init__.py
+++ b/kolabd/__init__.py
@@ -20,7 +20,9 @@
     The Kolab daemon.
 """
 
+import grp
 import os
+import pwd
 import shutil
 import sys
 import time
@@ -45,17 +47,42 @@ class KolabDaemon(object):
 
         daemon_group = conf.add_cli_parser_option_group(_("Daemon Options"))
 
-        daemon_group.add_option(  "--fork",
-                                dest    = "fork_mode",
-                                action  = "store_true",
-                                default = False,
-                                help    = _("Fork to the background."))
-
-        daemon_group.add_option( "-p", "--pid-file",
-                                dest    = "pidfile",
-                                action  = "store",
-                                default = "/var/run/kolabd/kolabd.pid",
-                                help    = _("Path to the PID file to use."))
+        daemon_group.add_option(
+                "--fork",
+                dest    = "fork_mode",
+                action  = "store_true",
+                default = False,
+                help    = _("Fork to the background.")
+            )
+
+        daemon_group.add_option(
+                "-p",
+                "--pid-file",
+                dest    = "pidfile",
+                action  = "store",
+                default = "/var/run/kolabd/kolabd.pid",
+                help    = _("Path to the PID file to use.")
+            )
+
+        daemon_group.add_option(
+                "-u",
+                "--user",
+                dest    = "process_username",
+                action  = "store",
+                default = "kolab",
+                help    = _("Run as user USERNAME"),
+                metavar = "USERNAME"
+            )
+
+        daemon_group.add_option(
+                "-g",
+                "--group",
+                dest    = "process_groupname",
+                action  = "store",
+                default = "kolab",
+                help    = _("Run as group GROUPNAME"),
+                metavar = "GROUPNAME"
+            )
 
         conf.finalize_conf()
 
@@ -65,6 +92,75 @@ class KolabDaemon(object):
         exitcode = 0
 
         try:
+            (ruid, euid, suid) = os.getresuid()
+            (rgid, egid, sgid) = os.getresgid()
+
+            if ruid == 0:
+                # Means we can setreuid() / setregid() / setgroups()
+                if egid == 0:
+                    # Get group entry details
+                    try:
+                        (
+                                group_name,
+                                group_password,
+                                group_gid,
+                                group_members
+                            ) = grp.getgrnam(conf.process_groupname)
+
+                    except KeyError:
+                        print >> sys.stderr, _("Group %s does not exist") % (
+                                conf.process_groupname
+                            )
+
+                        sys.exit(1)
+
+                    # Set real and effective group if not the same as current.
+                    if not group_gid == egid:
+                        log.debug(
+                                _("Switching real and effective group id to %d") % (
+                                        group_gid
+                                    ),
+                                level=8
+                            )
+
+                        os.setregid(group_gid, group_gid)
+
+                if euid == 0:
+                    # Means we haven't switched yet.
+                    try:
+                        (
+                                user_name,
+                                user_password,
+                                user_uid,
+                                user_gid,
+                                user_gecos,
+                                user_homedir,
+                                user_shell
+                            ) = pwd.getpwnam(conf.process_username)
+
+                    except KeyError:
+                        print >> sys.stderr, _("User %s does not exist") % (
+                                conf.process_username
+                            )
+
+                        sys.exit(1)
+
+
+                    # Set real and effective user if not the same as current.
+                    if not user_uid == euid:
+                        log.debug(
+                                _("Switching real and effective user id to %d") % (
+                                        user_uid
+                                    ),
+                                level=8
+                            )
+
+                        os.setreuid(user_uid, user_uid)
+
+        except:
+            log.error(_("Could not change real and effective uid and/or gid"))
+
+        try:
             pid = 1
             if conf.fork_mode:
                 pid = os.fork()


commit 327d454e7ba88b8a0b50fac3be088f6fed7ddc26
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Thu May 17 10:04:29 2012 +0100

    Set kolabd to run as kolab:kolab (systemd) or with daemon options --user kolab

diff --git a/kolabd/kolabd.sysconfig b/kolabd/kolabd.sysconfig
index 0705f32..93d27b5 100644
--- a/kolabd/kolabd.sysconfig
+++ b/kolabd/kolabd.sysconfig
@@ -2,4 +2,5 @@
 #
 # See kolabd --help for more flags.
 #
-FLAGS="--fork -l warning"
\ No newline at end of file
+FLAGS="--fork -l warning"
+DAEMONOPTS="--user kolab"
diff --git a/kolabd/kolabd.systemd b/kolabd/kolabd.systemd
index 80305f8..92db05e 100644
--- a/kolabd/kolabd.systemd
+++ b/kolabd/kolabd.systemd
@@ -5,6 +5,8 @@ After=syslog.target network.target
 [Service]
 Type=forking
 PIDFile=/var/run/kolabd/kolabd.pid
+User=kolab
+Group=kolab
 EnvironmentFile=/etc/sysconfig/kolabd
 ExecStart=/usr/sbin/kolabd $FLAGS
 ExecReload=/bin/kill -HUP $MAINPID





More information about the commits mailing list