| Message ID | 1427110307-22262-1-git-send-email-ardeleanalex@gmail.com |
|---|---|
| State | Rejected |
| Headers | show |
On 23-03-15 12:31, Alexandru Ardelean wrote: > Helpful to disable when debugging lldpd crashes (when working on it). > When priviledge separation is on, some crashes are stack-traced to > some priviledge separation code. Nitpicking, but the correct spelling is "privilege". > Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> > --- > package/network/services/lldpd/Config.in | 5 ++ > package/network/services/lldpd/Makefile | 2 + > ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73 ++++++++++++++++++++++ > 3 files changed, 80 insertions(+) > create mode 100644 package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > > diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in > index a416490..4a8b5e7d 100644 > --- a/package/network/services/lldpd/Config.in > +++ b/package/network/services/lldpd/Config.in > @@ -1,6 +1,11 @@ > menu "Configuration" > depends on PACKAGE_lldpd > > +config LLDPD_WITH_PRIVSEP > + bool > + default y > + prompt "Enable priviledge separation (run lldpd with a chrooted 'lldpd' user)" Id. > + > config LLDPD_WITH_CDP > bool > default y > diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile > index ff367f1..d80840e 100644 > --- a/package/network/services/lldpd/Makefile > +++ b/package/network/services/lldpd/Makefile > @@ -85,9 +85,11 @@ define Package/lldpd/conffiles > endef > > CONFIGURE_ARGS += \ > + $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \ > --with-privsep-user=lldp \ > --with-privsep-group=lldp \ > --with-privsep-chroot=/var/run/lldp \ > + ,--disable-privsep) \ > --with-readline=no \ > --with-embedded-libevent=no \ > $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \ > diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > new file mode 100644 > index 0000000..907c21b > --- /dev/null > +++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > @@ -0,0 +1,73 @@ > +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001 > +From: Vincent Bernat <vincent@bernat.im> > +Date: Thu, 12 Feb 2015 08:07:43 +0100 > +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled > + > +Closes #95 > +--- > + src/daemon/lldpd.c | 10 ++++++++++ > + 1 file changed, 10 insertions(+) > + > +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c > +index f868fc7..6a3a160 100644 > +--- a/src/daemon/lldpd.c > ++++ b/src/daemon/lldpd.c > +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[]) > + int receiveonly = 0; > + int ctl; > + > ++#ifdef ENABLE_PRIVSEP > + /* Non privileged user */ > + struct passwd *user; > + struct group *group; > + uid_t uid; > + gid_t gid; > ++#endif > + > + saved_argv = argv; > + > +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) > + log_debug("main", "lldpd starting..."); > + > + /* Grab uid and gid to use for priv sep */ > ++#ifdef ENABLE_PRIVSEP > + if ((user = getpwnam(PRIVSEP_USER)) == NULL) > + fatal("main", "no " PRIVSEP_USER " user for privilege separation"); > + uid = user->pw_uid; > + if ((group = getgrnam(PRIVSEP_GROUP)) == NULL) > + fatal("main", "no " PRIVSEP_GROUP " group for privilege separation"); > + gid = group->gr_gid; > ++#endif > + > + /* Create and setup socket */ > + int retry = 1; > +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) > + log_warn("main", "unable to create control socket"); > + fatalx("giving up"); > + } > ++#ifdef ENABLE_PRIVSEP > + if (chown(ctlname, uid, gid) == -1) > + log_warn("main", "unable to chown control socket"); > + if (chmod(ctlname, > + S_IRUSR | S_IWUSR | S_IXUSR | > + S_IRGRP | S_IWGRP | S_IXGRP) == -1) > + log_warn("main", "unable to chmod control socket"); > ++#endif > + > + /* Disable SIGPIPE */ > + signal(SIGPIPE, SIG_IGN); > +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[]) > + } > + > + log_debug("main", "initialize privilege separation"); > ++#ifdef ENABLE_PRIVSEP > + priv_init(PRIVSEP_CHROOT, ctl, uid, gid); > ++#else > ++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0); > ++#endif > + > + /* Initialization of global configuration */ > + if ((cfg = (struct lldpd *) > +-- > +2.1.2 > + Kind regards, Stijn
On Mon, Mar 23, 2015 at 5:28 PM, Stijn Tintel <stijn@linux-ipv6.be> wrote: > On 23-03-15 12:31, Alexandru Ardelean wrote: > > Helpful to disable when debugging lldpd crashes (when working on it). > > When priviledge separation is on, some crashes are stack-traced to > > some priviledge separation code. > Nitpicking, but the correct spelling is "privilege". > > Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> > > --- > > package/network/services/lldpd/Config.in | 5 ++ > > package/network/services/lldpd/Makefile | 2 + > > ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73 > ++++++++++++++++++++++ > > 3 files changed, 80 insertions(+) > > create mode 100644 > package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > > > > diff --git a/package/network/services/lldpd/Config.in > b/package/network/services/lldpd/Config.in > > index a416490..4a8b5e7d 100644 > > --- a/package/network/services/lldpd/Config.in > > +++ b/package/network/services/lldpd/Config.in > > @@ -1,6 +1,11 @@ > > menu "Configuration" > > depends on PACKAGE_lldpd > > > > +config LLDPD_WITH_PRIVSEP > > + bool > > + default y > > + prompt "Enable priviledge separation (run lldpd with a chrooted > 'lldpd' user)" > Id. > > + > > config LLDPD_WITH_CDP > > bool > > default y > > diff --git a/package/network/services/lldpd/Makefile > b/package/network/services/lldpd/Makefile > > index ff367f1..d80840e 100644 > > --- a/package/network/services/lldpd/Makefile > > +++ b/package/network/services/lldpd/Makefile > > @@ -85,9 +85,11 @@ define Package/lldpd/conffiles > > endef > > > > CONFIGURE_ARGS += \ > > + $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \ > > --with-privsep-user=lldp \ > > --with-privsep-group=lldp \ > > --with-privsep-chroot=/var/run/lldp \ > > + ,--disable-privsep) \ > > --with-readline=no \ > > --with-embedded-libevent=no \ > > $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \ > > diff --git > a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > > new file mode 100644 > > index 0000000..907c21b > > --- /dev/null > > +++ > b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch > > @@ -0,0 +1,73 @@ > > +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001 > > +From: Vincent Bernat <vincent@bernat.im> > > +Date: Thu, 12 Feb 2015 08:07:43 +0100 > > +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled > > + > > +Closes #95 > > +--- > > + src/daemon/lldpd.c | 10 ++++++++++ > > + 1 file changed, 10 insertions(+) > > + > > +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c > > +index f868fc7..6a3a160 100644 > > +--- a/src/daemon/lldpd.c > > ++++ b/src/daemon/lldpd.c > > +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[]) > > + int receiveonly = 0; > > + int ctl; > > + > > ++#ifdef ENABLE_PRIVSEP > > + /* Non privileged user */ > > + struct passwd *user; > > + struct group *group; > > + uid_t uid; > > + gid_t gid; > > ++#endif > > + > > + saved_argv = argv; > > + > > +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) > > + log_debug("main", "lldpd starting..."); > > + > > + /* Grab uid and gid to use for priv sep */ > > ++#ifdef ENABLE_PRIVSEP > > + if ((user = getpwnam(PRIVSEP_USER)) == NULL) > > + fatal("main", "no " PRIVSEP_USER " user for privilege > separation"); > > + uid = user->pw_uid; > > + if ((group = getgrnam(PRIVSEP_GROUP)) == NULL) > > + fatal("main", "no " PRIVSEP_GROUP " group for privilege > separation"); > > + gid = group->gr_gid; > > ++#endif > > + > > + /* Create and setup socket */ > > + int retry = 1; > > +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) > > + log_warn("main", "unable to create control socket"); > > + fatalx("giving up"); > > + } > > ++#ifdef ENABLE_PRIVSEP > > + if (chown(ctlname, uid, gid) == -1) > > + log_warn("main", "unable to chown control socket"); > > + if (chmod(ctlname, > > + S_IRUSR | S_IWUSR | S_IXUSR | > > + S_IRGRP | S_IWGRP | S_IXGRP) == -1) > > + log_warn("main", "unable to chmod control socket"); > > ++#endif > > + > > + /* Disable SIGPIPE */ > > + signal(SIGPIPE, SIG_IGN); > > +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[]) > > + } > > + > > + log_debug("main", "initialize privilege separation"); > > ++#ifdef ENABLE_PRIVSEP > > + priv_init(PRIVSEP_CHROOT, ctl, uid, gid); > > ++#else > > ++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0); > > ++#endif > > + > > + /* Initialization of global configuration */ > > + if ((cfg = (struct lldpd *) > > +-- > > +2.1.2 > > + > Kind regards, > Stijn > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > Will re-send. Thanks
diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in index a416490..4a8b5e7d 100644 --- a/package/network/services/lldpd/Config.in +++ b/package/network/services/lldpd/Config.in @@ -1,6 +1,11 @@ menu "Configuration" depends on PACKAGE_lldpd +config LLDPD_WITH_PRIVSEP + bool + default y + prompt "Enable priviledge separation (run lldpd with a chrooted 'lldpd' user)" + config LLDPD_WITH_CDP bool default y diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile index ff367f1..d80840e 100644 --- a/package/network/services/lldpd/Makefile +++ b/package/network/services/lldpd/Makefile @@ -85,9 +85,11 @@ define Package/lldpd/conffiles endef CONFIGURE_ARGS += \ + $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \ --with-privsep-user=lldp \ --with-privsep-group=lldp \ --with-privsep-chroot=/var/run/lldp \ + ,--disable-privsep) \ --with-readline=no \ --with-embedded-libevent=no \ $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \ diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch new file mode 100644 index 0000000..907c21b --- /dev/null +++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch @@ -0,0 +1,73 @@ +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat <vincent@bernat.im> +Date: Thu, 12 Feb 2015 08:07:43 +0100 +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled + +Closes #95 +--- + src/daemon/lldpd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c +index f868fc7..6a3a160 100644 +--- a/src/daemon/lldpd.c ++++ b/src/daemon/lldpd.c +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[]) + int receiveonly = 0; + int ctl; + ++#ifdef ENABLE_PRIVSEP + /* Non privileged user */ + struct passwd *user; + struct group *group; + uid_t uid; + gid_t gid; ++#endif + + saved_argv = argv; + +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) + log_debug("main", "lldpd starting..."); + + /* Grab uid and gid to use for priv sep */ ++#ifdef ENABLE_PRIVSEP + if ((user = getpwnam(PRIVSEP_USER)) == NULL) + fatal("main", "no " PRIVSEP_USER " user for privilege separation"); + uid = user->pw_uid; + if ((group = getgrnam(PRIVSEP_GROUP)) == NULL) + fatal("main", "no " PRIVSEP_GROUP " group for privilege separation"); + gid = group->gr_gid; ++#endif + + /* Create and setup socket */ + int retry = 1; +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) + log_warn("main", "unable to create control socket"); + fatalx("giving up"); + } ++#ifdef ENABLE_PRIVSEP + if (chown(ctlname, uid, gid) == -1) + log_warn("main", "unable to chown control socket"); + if (chmod(ctlname, + S_IRUSR | S_IWUSR | S_IXUSR | + S_IRGRP | S_IWGRP | S_IXGRP) == -1) + log_warn("main", "unable to chmod control socket"); ++#endif + + /* Disable SIGPIPE */ + signal(SIGPIPE, SIG_IGN); +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[]) + } + + log_debug("main", "initialize privilege separation"); ++#ifdef ENABLE_PRIVSEP + priv_init(PRIVSEP_CHROOT, ctl, uid, gid); ++#else ++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0); ++#endif + + /* Initialization of global configuration */ + if ((cfg = (struct lldpd *) +-- +2.1.2 +
Helpful to disable when debugging lldpd crashes (when working on it). When priviledge separation is on, some crashes are stack-traced to some priviledge separation code. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> --- package/network/services/lldpd/Config.in | 5 ++ package/network/services/lldpd/Makefile | 2 + ...lookup-for-_lldpd-when-privsep-is-disable.patch | 73 ++++++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch