changeset 42:afcf403709ef

updates for 3.2, try to drop root privileges
author carl
date Mon, 05 Jul 2004 13:09:44 -0700
parents d95af8129dfa
children acbe44bbba22
files dnsbl.rc install.bash sendmail.st src/dnsbl.cpp src/scanner.cpp
diffstat 5 files changed, 34 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/dnsbl.rc	Mon Jul 05 10:52:02 2004 -0700
+++ b/dnsbl.rc	Mon Jul 05 13:09:44 2004 -0700
@@ -22,7 +22,8 @@
         echo -n "Starting dnsbl-milter: "
         if [ ! -f /var/lock/subsys/dnsbl ]; then
             cd /etc/dnsbl   # conf file is here
-            su -l dnsbl -s /bin/sh -c "/usr/sbin/dnsbl -d -p local:/var/run/dnsbl/dnsbl.sock "
+            #su -l dnsbl -s /bin/sh -c "/usr/sbin/dnsbl -d -p local:/var/run/dnsbl.sock "
+            /usr/sbin/dnsbl -d -p local:/var/run/dnsbl.sock
             RETVAL=$?
             pid=`pidof -s /usr/sbin/dnsbl`
             if [ $pid ]
--- a/install.bash	Mon Jul 05 10:52:02 2004 -0700
+++ b/install.bash	Mon Jul 05 13:09:44 2004 -0700
@@ -25,7 +25,7 @@
 
 #####################
 # ensure the user is created
-/usr/bin/getent passwd dnsbl || useradd -r -d /etc/dnsbl -M -c "dnsbl pseudo-user" -s /sbin/nologin dnsbl
+/usr/bin/getent passwd dnsbl || /usr/sbin/useradd -r -d /etc/dnsbl -M -c "dnsbl pseudo-user" -s /sbin/nologin dnsbl
 # install the milter
 DST=/etc/dnsbl
 mkdir -p $DST
Binary file sendmail.st has changed
--- a/src/dnsbl.cpp	Mon Jul 05 10:52:02 2004 -0700
+++ b/src/dnsbl.cpp	Mon Jul 05 13:09:44 2004 -0700
@@ -43,6 +43,7 @@
 #include <netinet/tcp.h>
 #include <netdb.h>
 #include <sys/socket.h>
+#include <sys/un.h>
 
 // needed for thread
 #include <pthread.h>
@@ -61,6 +62,7 @@
 #include <ctype.h>
 #include <fstream>
 #include <syslog.h>
+#include <pwd.h>
 
 static char* dnsbl_version="$Id$";
 
@@ -306,7 +308,7 @@
 static void my_syslog(mlfiPriv *priv, char *text) {
     char buf[1000];
     if (priv) {
-        snprintf(buf, sizeof(buf), "%s %s", priv->queueid, text);
+        snprintf(buf, sizeof(buf), "%s: %s", priv->queueid, text);
         text = buf;
     }
     pthread_mutex_lock(&syslog_mutex);
@@ -689,7 +691,7 @@
     status st = oksofar;
     mlfiPriv &priv = *MLFIPRIV;
     CONFIG &dc = *priv.pc;
-    if (!priv.queueid) priv.queueid = strdup(smfi_getsymval(ctx, "i");
+    if (!priv.queueid) priv.queueid = strdup(smfi_getsymval(ctx, "i"));
     char *rcptaddr = rcpt[0];
     char *dnsname  = lookup(rcptaddr, dc.env_to_dnsbll);
     char *fromname = lookup(rcptaddr, dc.env_to_chkfrom);
@@ -1283,6 +1285,20 @@
 }
 
 
+
+static void setup_socket(char *sock);
+static void setup_socket(char *sock) {
+    unlink(sock);
+    sockaddr_un addr;
+    memset(&addr, '\0', sizeof addr);
+    addr.sun_family = AF_UNIX;
+    strncpy(addr.sun_path, sock, sizeof(addr.sun_path)-1);
+    int s = socket(AF_UNIX, SOCK_STREAM, 0);
+    bind(s, (sockaddr*)&addr, sizeof(addr));
+    close(s);
+}
+
+
 int main(int argc, char**argv)
 {
     bool check   = false;
@@ -1304,8 +1320,8 @@
                     exit(EX_SOFTWARE);
                 }
 
-                     if (strncasecmp(optarg, "unix:", 5) == 0)  unlink(optarg + 5);
-                else if (strncasecmp(optarg, "local:", 6) == 0) unlink(optarg + 6);
+                     if (strncasecmp(optarg, "unix:", 5) == 0)  setup_socket(optarg + 5);
+                else if (strncasecmp(optarg, "local:", 6) == 0) setup_socket(optarg + 6);
                 setconn = true;
                 break;
 
@@ -1394,6 +1410,15 @@
         fclose(f);
     }
 
+
+    // drop root privs
+    struct passwd *pw = getpwnam("dnsbl");
+    if (pw) {
+        if (setuid(pw->pw_uid) == -1) {
+            my_syslog("failed to switch to user dnsbl");
+        }
+    }
+
     time_t starting = time(NULL);
     int rc = smfi_main();
     if ((rc != MI_SUCCESS) && (time(NULL) > starting+5*60)) {
--- a/src/scanner.cpp	Mon Jul 05 10:52:02 2004 -0700
+++ b/src/scanner.cpp	Mon Jul 05 13:09:44 2004 -0700
@@ -20,7 +20,7 @@
     string_set  hosts;
     int         bad_html_tags;
     int         binary_tags;
-    recorder(string_set *html_tags_, string_set *tlds_);
+    recorder(mlfiPriv *priv_, string_set *html_tags_, string_set *tlds_);
     ~recorder();
     void empty();
     void new_url(char *host);
@@ -931,7 +931,7 @@
 void fsa::error(char *err) {
     count = 0;
     st    = init;
-    if (err) my_syslog(err);
+    if (err) my_syslog(memory->priv, err);
 }
 
 void fsa::pusher() {