Add _rtadvd user and group.

Add a chroot dir for the _rtadvd user. Drop privs to the user _rtadvd after acquiring our socket. When rc.d/rtadvd starts or reloads, the rtadvd config file is copied into the chroot before starting or reloading rtadvd itself. Create a symlink from /var/run/rtadvd.dump to the chroot Inital idea from OpenBSD patch rtadvd.c r1.36
2013-07-09 09:34:58 +00:00 · 2013-07-09 09:34:58 +00:00 · d87d6793f0
parent e78575e451
commit d87d6793f0
7 changed files with 81 additions and 12 deletions
--- a/etc/group
+++ b/etc/group
@ -25,6 +25,7 @@ _tests:*:26:
 _tcpdump:*:27:
 _tss:*:28:
 _gpio:*:29:
+_rtadvd:*:30:
 guest:*:31:root
 nobody:*:39:
 utmp:*:45:
--- a/etc/master.passwd
+++ b/etc/master.passwd
@ -18,5 +18,6 @@ _mdnsd:*:25:25::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _tests:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
 _tss:*:28:28::0:0:& pseudo-user:/var/tpm:/sbin/nologin
+_rtadvd:*:30:30::0:0:& pseudo-user:/var/chroot/rtadvd:/sbin/nologin
 uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
 nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
--- a/etc/mtree/special
+++ b/etc/mtree/special
@ -1,4 +1,4 @@
-#	$NetBSD: special,v 1.145 2013/05/16 07:37:05 yamt Exp $
+#	$NetBSD: special,v 1.146 2013/07/09 09:34:58 roy Exp $
 #	@(#)special	8.2 (Berkeley) 1/23/94
 #
 # This file may be overwritten on upgrades.
@ -395,6 +395,10 @@
 ./var/chroot/ntpd/var/db	type=dir  mode=0775 gname=ntpd
 ./var/chroot/ntpd/var/run	type=dir  mode=0775 gname=ntpd
 ./var/chroot/pflogd		type=dir  mode=0755
+./var/chroot/rtadvd		type=dir  mode=0755
+./var/chroot/rtadvd/etc		type=dir  mode=0755
+./var/chroot/rtadvd/var		type=dir  mode=0755
+./var/chroot/rtadvd/var/run	type=dir  mode=0775 gname=_rtadvd
 ./var/chroot/sshd		type=dir  mode=0755
 ./var/chroot/tcpdump		type=dir  mode=0755
 ./var/chroot/tftp-proxy		type=dir  mode=0755
--- a/etc/rc.d/rtadvd
+++ b/etc/rc.d/rtadvd
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: rtadvd,v 1.7 2012/12/13 15:51:17 roy Exp $
+# $NetBSD: rtadvd,v 1.8 2013/07/09 09:34:58 roy Exp $
 #

 # PROVIDE: rtadvd
@ -9,20 +9,51 @@

 $_rc_subr_loaded . /etc/rc.subr

-name="rtadvd"
+name=rtadvd
 rcvar=$name
-command="/usr/sbin/${name}"
+command="/usr/sbin/$name"
 pidfile="/var/run/$name.pid"
-extra_commands="reload"
-start_precmd="rtadvd_precmd"
+extra_commands=reload
+start_precmd=rtadvd_prestart
+reload_precmd=rtadvd_prereload

-rtadvd_precmd()
+rtadvd_prereload()
 {
-	if [ "$ip6mode" != "router" ]; then
+	local chdir="$(getent passwd _rtadvd | cut -d: -f6)"
+	local conf=/etc/rtadvd.conf myflags o confdir
+	
+	[ -z "$chdir" -o "$chdir" = / ] && return 0
+
+	if [ -n "$flags" ]; then
+		myflags=$flags
+	else
+		eval myflags=\$${name}_flags
+	fi
+	set -- ${myflags}
+	while getopts c:dDfM:Rs o; do
+		case "$1" in
+		-c)	conf="$OPTARG";;
+		esac
+		shift
+	done
+	confdir=$(dirname "$conf")
+	
+	echo "$name: copying $conf to $chdir$conf"
+	cp "$conf" "$chdir$conf"
+
+	# Provide a link to the chrooted dump file
+	ln -snf "$chdir/var/run/$name.dump" /var/run
+}
+
+rtadvd_prestart()
+{
+	if [ "$ip6mode" != router ]; then
 		warn \
 	"${name} cannot be used on IPv6 host, only on an IPv6 router."
 		return 1
 	fi
+
+	rtadvd_prereload
 }

 load_rc_config $name
--- a/usr.sbin/rtadvd/dump.c
+++ b/usr.sbin/rtadvd/dump.c
@ -1,4 +1,4 @@
-/*	$NetBSD: dump.c,v 1.10 2012/12/13 15:36:36 roy Exp $	*/
+/*	$NetBSD: dump.c,v 1.11 2013/07/09 09:34:59 roy Exp $	*/
 /*	$KAME: dump.c,v 1.34 2004/06/14 05:35:59 itojun Exp $	*/

 /*
@ -269,7 +269,7 @@ rtadvd_dump_file(const char *dumpfile)
 	    dumpfile);

 	if ((fp = fopen(dumpfile, "w")) == NULL) {
-		syslog(LOG_WARNING, "<%s> open a dump file(%s)",
+		syslog(LOG_WARNING, "<%s> open a dump file(%s): %m",
 		       __func__, dumpfile);
 		return;
 	}
--- a/usr.sbin/rtadvd/rtadvd.c
+++ b/usr.sbin/rtadvd/rtadvd.c
@ -1,4 +1,4 @@
-/*	$NetBSD: rtadvd.c,v 1.43 2013/06/28 07:59:32 roy Exp $	*/
+/*	$NetBSD: rtadvd.c,v 1.44 2013/07/09 09:34:59 roy Exp $	*/
 /*	$KAME: rtadvd.c,v 1.92 2005/10/17 14:40:02 suz Exp $	*/

 /*
@ -58,6 +58,7 @@
 #include <util.h>
 #endif
 #include <poll.h>
+#include <pwd.h>

 #include "rtadvd.h"
 #include "rrenum.h"
@ -177,6 +178,7 @@ main(int argc, char *argv[])
 	struct timeval *timeout;
 	int i, ch;
 	int fflag = 0, logopt;
+	struct passwd *pw;

 	/* get command line options and arguments */
 #define OPTIONS "c:dDfM:Rs"
@ -229,6 +231,17 @@ main(int argc, char *argv[])
 	if (dflag == 1)
 		(void)setlogmask(LOG_UPTO(LOG_INFO));

+	errno = 0; /* Ensure errno is 0 so we know if getpwnam errors or not */
+	if ((pw = getpwnam(RTADVD_USER)) == NULL) {
+		if (errno == 0)
+			syslog(LOG_ERR,
+			    "user %s does not exist, aborting",
+			    RTADVD_USER);
+		else
+			syslog(LOG_ERR, "getpwnam: %s: %m", RTADVD_USER);
+		exit(1);
+	}
+
 	/* timer initialization */
 	rtadvd_timer_init();

@ -260,6 +273,23 @@ main(int argc, char *argv[])
 	} else
 		set[1].fd = -1;

+	syslog(LOG_INFO, "dropping privileges to %s", RTADVD_USER);
+	if (chroot(pw->pw_dir) == -1) {
+		syslog(LOG_ERR, "chroot: %s: %m", pw->pw_dir);
+		exit(1);
+	}
+	if (chdir("/") == -1) {
+		syslog(LOG_ERR, "chdir: /: %m");
+		exit(1);
+	}
+	if (setgroups(1, &pw->pw_gid) == -1 ||
+	    setgid(pw->pw_gid) == -1 || 
+	    setuid(pw->pw_uid) == -1)
+	{
+		syslog(LOG_ERR, "failed to drop privileges: %m");
+		exit(1);
+	}
+
 	signal(SIGINT, set_die);
 	signal(SIGTERM, set_die);
 	signal(SIGHUP, set_reconf);
--- a/usr.sbin/rtadvd/rtadvd.h
+++ b/usr.sbin/rtadvd/rtadvd.h
@ -1,4 +1,4 @@
-/*	$NetBSD: rtadvd.h,v 1.12 2012/12/13 15:36:36 roy Exp $	*/
+/*	$NetBSD: rtadvd.h,v 1.13 2013/07/09 09:34:59 roy Exp $	*/
 /*	$KAME: rtadvd.h,v 1.30 2005/10/17 14:40:02 suz Exp $	*/

 /*
@ -30,6 +30,8 @@
 * SUCH DAMAGE.
 */

+#define RTADVD_USER	"_rtadvd"
+
 #define ALLNODES "ff02::1"
 #define ALLROUTERS_LINK "ff02::2"
 #define ALLROUTERS_SITE "ff05::2"