@ -2,7 +2,7 @@
Superuser - exec wrapper for HTTP serves and other needs ( made especially for lighttpd ) .
Allows programs to be run with configurable uid / gid .
Version 0. 4 ( 2006 - 06 - 09 )
Version 0. 5 ( 2008 - 07 - 07 )
For documentation on how to configure the wrapper , see the README .
Command line option - v displays version , while - V displays compile - time configuration .
@ -12,6 +12,11 @@ Brief version history:
Vers Date Changes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0.5 2008 - 07 - 07 Added proper handling of the supplementary group access list . Fixed a
bug with passing on return values from the child process . Added
compile - time configuration options to disable the CHECK_GID feature and
to require the target user to have a pwent ( in / etc / passwd ) .
Thanks to stbuehler , hoffie and _lotek from # lighttpd for help .
0.4 2006 - 06 - 09 Added a BSD license .
0.3 2005 - 09 - 27 Changed the wrapper to stay resident and propagate SIGTERM to the
target . Not doing so will prevent the server from managing the target .
@ -26,7 +31,7 @@ Vers Date Changes
License :
Copyright ( c ) 200 6 , Sune Foldager
Copyright ( c ) 200 8 , Sune Foldager
All rights reserved .
Redistribution and use in source and binary forms , with or without modification , are
@ -76,6 +81,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# define RC_WRONG_GROUP 22
# define RC_EXEC 23
# define RC_BAD_OPTION 24
# define RC_CHILD_ABNORMAL_EXIT 25
# define RC_MISSING_PWENT 26
/* User configuration. */
# include "execwrap_config.h"
@ -95,7 +103,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# endif
/* Useful macro and other stuff. */
# define VERSION_STRING "ExecWrap v0. 3 by Sune Foldager."
# define VERSION_STRING "ExecWrap v0. 5 Copyright (c) 2008, Sune Foldager."
# define STRLEN(a) (sizeof(a)-1)
/* Shortcuts. */
@ -111,8 +119,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# include <stdlib.h>
# include <string.h>
# include <sys/stat.h>
# include <sys/wait.h>
# include <unistd.h>
# include <signal.h>
# include <pwd.h>
/* The global child PID and previous SIGTERM handler. */
@ -155,6 +165,9 @@ int main(int argc, char* argv[], char* envp[])
printf ( " TARGET_PATH_PREFIX : %s \n " , TARGET_PATH_PREFIX ) ;
printf ( " DEFAULT_UID : %d \n " , DEFAULT_UID ) ;
printf ( " DEFAULT_GID : %d \n " , DEFAULT_GID ) ;
puts ( " " ) ;
printf ( " REQUIRE_PWENT : %d \n " , REQUIRE_PWENT ) ;
printf ( " ALLOW_CHECKGID : %d \n " , ALLOW_CHECKGID ) ;
return 0 ;
}
@ -198,10 +211,12 @@ int main(int argc, char* argv[], char* envp[])
}
/* Check GID instead of UID. */
# if ALLOW_CHECKGID
if ( ! strncmp ( ENV_CHECK_GID , s , ENV_CHECK_GID_LEN ) )
{
check_gid = 1 ;
}
# endif
/* Use non-resident wrapping style. */
if ( ! strncmp ( ENV_NON_RESIDENT , s , ENV_NON_RESIDENT_LEN ) )
@ -214,6 +229,12 @@ int main(int argc, char* argv[], char* envp[])
/* See if we got all we need. */
if ( ! target ) return RC_MISSING_CONFIG ;
/* Fetch user information from passwd. */
struct passwd * pwent = getpwuid ( uid ) ;
# if REQUIRE_PWENT
if ( ! pwent ) return RC_MISSING_PWENT ;
# endif
/* Install the SIGTERM handler. */
if ( ! non_resident )
{
@ -225,7 +246,8 @@ int main(int argc, char* argv[], char* envp[])
if ( non_resident | | ! ( pid = fork ( ) ) )
{
/* We're in the child. Drop privileges. */
/* We're in the child. Drop privileges and set the group list. */
if ( pwent & & initgroups ( pwent - > pw_name , gid ) ) return RC_SETGID ;
if ( setgid ( gid ) ) return RC_SETGID ;
if ( setuid ( uid ) ) return RC_SETUID ;
@ -262,7 +284,6 @@ int main(int argc, char* argv[], char* envp[])
/* Here we're in the parent. Wait for the child to be done, and return. */
int status ;
wait ( & status ) ;
return status ;
if( WIFEXITED ( status ) ) return WEXITSTATUS ( status ) ;
return RC_CHILD_ABNORMAL_EXIT ;
}