From a008f49a85c3891eb4ac469346bec24036fd0e87 Mon Sep 17 00:00:00 2001 From: Lou Berger Date: Tue, 6 Sep 2016 10:52:31 -0400 Subject: bgpd: Add flag to not change e{u,g}id on startup and run as unprivileged user * bgp_main.c: add -S / --skip_runas flag to not change effective user/group on start up. Enables bgpd to be run by unprivileged user. --- bgpd/bgp_main.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'bgpd/bgp_main.c') diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 54e732977..5ef8154fa 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -68,6 +68,7 @@ static const struct option longopts[] = { "no_kernel", no_argument, NULL, 'n'}, { "user", required_argument, NULL, 'u'}, { "group", required_argument, NULL, 'g'}, + { "skip_runas", no_argument, NULL, 'S'}, { "version", no_argument, NULL, 'v'}, { "dryrun", no_argument, NULL, 'C'}, { "help", no_argument, NULL, 'h'}, @@ -163,6 +164,7 @@ redistribution between different routing protocols.\n\n\ -n, --no_kernel Do not install route to kernel.\n\ -u, --user User to run as\n\ -g, --group Group to run as\n\ +-S, --skip_runas Skip user and group run as\n\ -v, --version Print program version\n\ -C, --dryrun Check configuration for validity and exit\n\ -h, --help Display this help and exit\n\ @@ -200,9 +202,12 @@ sigint (void) zlog_notice ("Terminating on signal"); if (! retain_mode) - bgp_terminate (); + { + bgp_terminate (); + if (bgpd_privs.user) /* NULL if skip_runas flag set */ + zprivs_terminate (&bgpd_privs); + } - zprivs_terminate (&bgpd_privs); bgp_exit (0); exit (0); @@ -408,6 +413,7 @@ main (int argc, char **argv) char *progname; struct thread thread; int tmp_port; + int skip_runas = 0; /* Set umask before anything for security */ umask (0027); @@ -421,7 +427,7 @@ main (int argc, char **argv) /* Command line argument treatment. */ while (1) { - opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vC", longopts, 0); + opt = getopt_long (argc, argv, "df:i:z:hp:l:A:P:rnu:g:vCS", longopts, 0); if (opt == EOF) break; @@ -479,6 +485,9 @@ main (int argc, char **argv) case 'g': bgpd_privs.group = optarg; break; + case 'S': /* skip run as = override bgpd_privs */ + skip_runas = 1; + break; case 'v': print_version (progname); exit (0); @@ -497,7 +506,11 @@ main (int argc, char **argv) zlog_default = openzlog (progname, ZLOG_BGP, 0, LOG_CONS|LOG_NDELAY|LOG_PID, LOG_DAEMON); + + if (skip_runas) + memset (&bgpd_privs, 0, sizeof (bgpd_privs)); zprivs_init (&bgpd_privs); + #if defined(HAVE_CUMULUS) zlog_set_level (NULL, ZLOG_DEST_SYSLOG, zlog_default->default_lvl); #endif -- cgit v1.2.3