Mercurial > dnsbl
changeset 42:afcf403709ef
updates for 3.2, try to drop root privileges
| author | carl |
|---|---|
| date | Mon, 05 Jul 2004 13:09:44 -0700 |
| parents | d95af8129dfa |
| children | acbe44bbba22 |
| files | dnsbl.rc install.bash sendmail.st src/dnsbl.cpp src/scanner.cpp |
| diffstat | 5 files changed, 34 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/dnsbl.rc Mon Jul 05 10:52:02 2004 -0700 +++ b/dnsbl.rc Mon Jul 05 13:09:44 2004 -0700 @@ -22,7 +22,8 @@ echo -n "Starting dnsbl-milter: " if [ ! -f /var/lock/subsys/dnsbl ]; then cd /etc/dnsbl # conf file is here - su -l dnsbl -s /bin/sh -c "/usr/sbin/dnsbl -d -p local:/var/run/dnsbl/dnsbl.sock " + #su -l dnsbl -s /bin/sh -c "/usr/sbin/dnsbl -d -p local:/var/run/dnsbl.sock " + /usr/sbin/dnsbl -d -p local:/var/run/dnsbl.sock RETVAL=$? pid=`pidof -s /usr/sbin/dnsbl` if [ $pid ]
--- a/install.bash Mon Jul 05 10:52:02 2004 -0700 +++ b/install.bash Mon Jul 05 13:09:44 2004 -0700 @@ -25,7 +25,7 @@ ##################### # ensure the user is created -/usr/bin/getent passwd dnsbl || useradd -r -d /etc/dnsbl -M -c "dnsbl pseudo-user" -s /sbin/nologin dnsbl +/usr/bin/getent passwd dnsbl || /usr/sbin/useradd -r -d /etc/dnsbl -M -c "dnsbl pseudo-user" -s /sbin/nologin dnsbl # install the milter DST=/etc/dnsbl mkdir -p $DST
--- a/src/dnsbl.cpp Mon Jul 05 10:52:02 2004 -0700 +++ b/src/dnsbl.cpp Mon Jul 05 13:09:44 2004 -0700 @@ -43,6 +43,7 @@ #include <netinet/tcp.h> #include <netdb.h> #include <sys/socket.h> +#include <sys/un.h> // needed for thread #include <pthread.h> @@ -61,6 +62,7 @@ #include <ctype.h> #include <fstream> #include <syslog.h> +#include <pwd.h> static char* dnsbl_version="$Id$"; @@ -306,7 +308,7 @@ static void my_syslog(mlfiPriv *priv, char *text) { char buf[1000]; if (priv) { - snprintf(buf, sizeof(buf), "%s %s", priv->queueid, text); + snprintf(buf, sizeof(buf), "%s: %s", priv->queueid, text); text = buf; } pthread_mutex_lock(&syslog_mutex); @@ -689,7 +691,7 @@ status st = oksofar; mlfiPriv &priv = *MLFIPRIV; CONFIG &dc = *priv.pc; - if (!priv.queueid) priv.queueid = strdup(smfi_getsymval(ctx, "i"); + if (!priv.queueid) priv.queueid = strdup(smfi_getsymval(ctx, "i")); char *rcptaddr = rcpt[0]; char *dnsname = lookup(rcptaddr, dc.env_to_dnsbll); char *fromname = lookup(rcptaddr, dc.env_to_chkfrom); @@ -1283,6 +1285,20 @@ } + +static void setup_socket(char *sock); +static void setup_socket(char *sock) { + unlink(sock); + sockaddr_un addr; + memset(&addr, '\0', sizeof addr); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, sock, sizeof(addr.sun_path)-1); + int s = socket(AF_UNIX, SOCK_STREAM, 0); + bind(s, (sockaddr*)&addr, sizeof(addr)); + close(s); +} + + int main(int argc, char**argv) { bool check = false; @@ -1304,8 +1320,8 @@ exit(EX_SOFTWARE); } - if (strncasecmp(optarg, "unix:", 5) == 0) unlink(optarg + 5); - else if (strncasecmp(optarg, "local:", 6) == 0) unlink(optarg + 6); + if (strncasecmp(optarg, "unix:", 5) == 0) setup_socket(optarg + 5); + else if (strncasecmp(optarg, "local:", 6) == 0) setup_socket(optarg + 6); setconn = true; break; @@ -1394,6 +1410,15 @@ fclose(f); } + + // drop root privs + struct passwd *pw = getpwnam("dnsbl"); + if (pw) { + if (setuid(pw->pw_uid) == -1) { + my_syslog("failed to switch to user dnsbl"); + } + } + time_t starting = time(NULL); int rc = smfi_main(); if ((rc != MI_SUCCESS) && (time(NULL) > starting+5*60)) {
--- a/src/scanner.cpp Mon Jul 05 10:52:02 2004 -0700 +++ b/src/scanner.cpp Mon Jul 05 13:09:44 2004 -0700 @@ -20,7 +20,7 @@ string_set hosts; int bad_html_tags; int binary_tags; - recorder(string_set *html_tags_, string_set *tlds_); + recorder(mlfiPriv *priv_, string_set *html_tags_, string_set *tlds_); ~recorder(); void empty(); void new_url(char *host); @@ -931,7 +931,7 @@ void fsa::error(char *err) { count = 0; st = init; - if (err) my_syslog(err); + if (err) my_syslog(memory->priv, err); } void fsa::pusher() {