[PATH] -g option for httpd and default user

Luciano Miguel Ferreira Rocha strange at nsk.no-ip.org
Mon Sep 25 17:58:19 UTC 2006


Hello,

The attached patch changes httpd in the following ways when
CONFIG_FEATURE_HTTPD_SETUID is set:

1. -u now also sets the group id (from pwent->pw_gid, if found, else
   same as uid)
2. new -g option, defining new group id
3. setgid and setuid are always called, even in the absence of -u/-g,
   and a new option for defining the default was added. Default is "-1".

Regards,
Luciano Rocha

-- 
lfr
0/0
-------------- next part --------------
diff -ur busybox-1.2.1.orig/include/usage.h busybox-1.2.1/include/usage.h
--- busybox-1.2.1.orig/include/usage.h	2006-06-30 23:42:10.000000000 +0100
+++ busybox-1.2.1/include/usage.h	2006-09-25 18:39:51.000000000 +0100
@@ -1094,17 +1094,25 @@
 #define httpd_trivial_usage \
 	"[-c <conf file>]" \
 	USE_FEATURE_HTTPD_WITHOUT_INETD(" [-p <port>]") \
-	USE_FEATURE_HTTPD_SETUID(" [-u user]") \
+	USE_FEATURE_HTTPD_SETUID(" [-u user] [-g group]") \
 	USE_FEATURE_HTTPD_BASIC_AUTH(" [-r <realm>]") \
 	USE_FEATURE_HTTPD_AUTH_MD5(" [-m pass]") \
 	" [-h home]" \
 	" [-d/-e <string>]"
+
+#ifndef CONFIG_FEATURE_HTTPD_SETUID_DEFAULT
+# define DEFAULT_ID "-1"
+#else
+# define DEFAULT_ID CONFIG_FEATURE_HTTPD_SETUID_DEFAULT
+#endif
+
 #define httpd_full_usage \
 	"Listens for incoming http server requests.\n\n" \
 	"Options:\n" \
 	"\t-c FILE\t\tSpecifies configuration file. (default httpd.conf)\n" \
-	USE_FEATURE_HTTPD_WITHOUT_INETD("\t-p PORT\tServer port (default 80)\n") \
-	USE_FEATURE_HTTPD_SETUID("\t-u USER\tSet uid to USER after listening privileges port\n") \
+	USE_FEATURE_HTTPD_WITHOUT_INETD("\t-p PORT\t\tServer port (default 80)\n") \
+	USE_FEATURE_HTTPD_SETUID("\t-u USER\t\tSet uid to USER (default " DEFAULT_ID ")\n") \
+	USE_FEATURE_HTTPD_SETUID("\t-g GROUP\tSet gid to GROUP (default USER option)\n") \
 	USE_FEATURE_HTTPD_BASIC_AUTH("\t-r REALM\tAuthentication Realm for Basic Authentication\n") \
 	USE_FEATURE_HTTPD_AUTH_MD5("\t-m PASS\t\tCrypt PASS with md5 algorithm\n") \
 	"\t-h HOME  \tSpecifies http HOME directory (default ./)\n" \
diff -ur busybox-1.2.1.orig/networking/Config.in busybox-1.2.1/networking/Config.in
--- busybox-1.2.1.orig/networking/Config.in	2006-06-30 23:42:02.000000000 +0100
+++ busybox-1.2.1/networking/Config.in	2006-09-25 18:43:25.000000000 +0100
@@ -85,15 +85,22 @@
 	  configuration settings.
 
 config CONFIG_FEATURE_HTTPD_SETUID
-	bool "Enable support -u <user> option"
+	bool "Enable support for -u <user> and -g <group> options"
 	default n
 	depends on CONFIG_HTTPD && CONFIG_FEATURE_HTTPD_WITHOUT_INETD
 	help
-	  This option allows the server to run as a specific user
-	  rather than defaulting to the user that starts the server.
+	  This option allows the server to run as a specific user and/or
+	  group rather than defaulting to the user that starts the server.
 	  Use of this option requires special privileges to change to a
 	  different user.
 
+config CONFIG_FEATURE_HTTPD_SETUID_DEFAULT
+	string "Default user"
+	default "-1"
+	depends on CONFIG_FEATURE_HTTPD_SETUID
+	help
+	  Specify default user for -u option.
+
 config CONFIG_FEATURE_HTTPD_BASIC_AUTH
 	bool "Enable Basic http Authentication"
 	default y
diff -ur busybox-1.2.1.orig/networking/httpd.c busybox-1.2.1/networking/httpd.c
--- busybox-1.2.1.orig/networking/httpd.c	2006-06-30 23:42:02.000000000 +0100
+++ busybox-1.2.1/networking/httpd.c	2006-09-25 18:46:01.000000000 +0100
@@ -131,6 +131,12 @@
 # define DEBUG 0
 #endif
 
+#ifndef CONFIG_FEATURE_HTTPD_SETUID_DEFAULT
+# define DEFAULT_ID "-1"
+#else
+# define DEFAULT_ID CONFIG_FEATURE_HTTPD_SETUID_DEFAULT
+#endif
+
 #define MAX_MEMORY_BUFF 8192    /* IO buffer */
 
 typedef struct HT_ACCESS {
@@ -1897,7 +1903,7 @@
 	USE_FEATURE_HTTPD_ENCODE_URL_STR(e_opt_encode_url,)
 	USE_FEATURE_HTTPD_BASIC_AUTH(r_opt_realm,)
 	USE_FEATURE_HTTPD_AUTH_MD5(m_opt_md5,)
-	USE_FEATURE_HTTPD_SETUID(u_opt_setuid,)
+	USE_FEATURE_HTTPD_SETUID(u_opt_setuid, g_opt_setuid,)
 	USE_FEATURE_HTTPD_WITHOUT_INETD(p_opt_port,)
 };
 
@@ -1905,7 +1911,7 @@
 	USE_FEATURE_HTTPD_ENCODE_URL_STR("e:")
 	USE_FEATURE_HTTPD_BASIC_AUTH("r:")
 	USE_FEATURE_HTTPD_AUTH_MD5("m:")
-	USE_FEATURE_HTTPD_SETUID("u:")
+	USE_FEATURE_HTTPD_SETUID("u:g:")
 	USE_FEATURE_HTTPD_WITHOUT_INETD("p:");
 
 #define OPT_CONFIG_FILE (1<<c_opt_config_file)
@@ -1921,6 +1927,8 @@
 #define OPT_MD5         USE_FEATURE_HTTPD_AUTH_MD5((1<<m_opt_md5)) \
 			SKIP_FEATURE_HTTPD_AUTH_MD5(0)
 
+#define OPT_SETGID      USE_FEATURE_HTTPD_SETUID((1<<g_opt_setuid)) \
+			SKIP_FEATURE_HTTPD_SETUID(0)
 #define OPT_SETUID      USE_FEATURE_HTTPD_SETUID((1<<u_opt_setuid)) \
 			SKIP_FEATURE_HTTPD_SETUID(0)
 
@@ -1937,8 +1945,8 @@
   USE_FEATURE_HTTPD_WITHOUT_INETD(const char *s_port;)
   USE_FEATURE_HTTPD_WITHOUT_INETD(int server;)
 
-  USE_FEATURE_HTTPD_SETUID(const char *s_uid;)
-  USE_FEATURE_HTTPD_SETUID(long uid = -1;)
+  USE_FEATURE_HTTPD_SETUID(const char *s_uid = DEFAULT_ID, *s_gid = DEFAULT_ID;)
+  USE_FEATURE_HTTPD_SETUID(long uid, gid;)
 
   USE_FEATURE_HTTPD_AUTH_MD5(const char *pass;)
 
@@ -1958,7 +1966,7 @@
 			USE_FEATURE_HTTPD_ENCODE_URL_STR(, &url_for_encode)
 			USE_FEATURE_HTTPD_BASIC_AUTH(, &(config->realm))
 			USE_FEATURE_HTTPD_AUTH_MD5(, &pass)
-			USE_FEATURE_HTTPD_SETUID(, &s_uid)
+			USE_FEATURE_HTTPD_SETUID(, &s_uid, &s_gid)
 			USE_FEATURE_HTTPD_WITHOUT_INETD(, &s_port)
 	);
 
@@ -1982,15 +1990,15 @@
     if(opt & OPT_PORT)
 	config->port = bb_xgetlarg(s_port, 10, 1, 0xffff);
 #ifdef CONFIG_FEATURE_HTTPD_SETUID
-    if(opt & OPT_SETUID) {
-	char *e;
-
-	uid = strtol(s_uid, &e, 0);
-	if(*e != '\0') {
-		/* not integer */
-		uid = bb_xgetpwnam(s_uid);
+	gid = get_ug_id(s_gid, bb_xgetgrnam);
+	uid = get_ug_id(s_uid, bb_xgetpwnam);
+	if (!(opt & OPT_SETGID)) {
+		struct passwd *pwe;
+		if (!(pwe = getpwuid(uid)))
+			gid = uid;
+		else
+			gid = pwe->pw_gid;
 	}
-      }
 #endif
 #endif
 
@@ -1999,8 +2007,8 @@
   server = openServer();
 # ifdef CONFIG_FEATURE_HTTPD_SETUID
   /* drop privileges */
-  if(uid > 0)
-	setuid(uid);
+  setgid(gid);
+  setuid(uid);
 # endif
 #endif
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20060925/a1674355/attachment-0002.pgp 


More information about the busybox mailing list