Added options for chroot and setting the server uid/gid.

author: Rezrov Frotz <rezrov.frotz@gmail.com> 2014-06-11 11:58:26 -0400
committer: Joel Rosdahl <joel@rosdahl.net> 2014-06-23 21:58:01 +0200
commit: 5cc528c55d27d0e671f7ae99424c0fefb594bf3e (patch)
tree: 7a4ce89aa0f9652c24e7f7768e9601ff8a0350d1 /miniircd
parent: c92708155459596b7b71c749b78c245799d5b503 (diff)
download: miniircd-5cc528c55d27d0e671f7ae99424c0fefb594bf3e.tar.gz
miniircd-5cc528c55d27d0e671f7ae99424c0fefb594bf3e.zip
1 files changed, 36 insertions, 1 deletions
diff --git a/miniircd b/miniircd
index 33f6867..9c66e4a 100755
--- a/miniircd
+++ b/miniircd
@@ -32,7 +32,8 @@ import tempfile
 import time
 from datetime import datetime
 from optparse import OptionParser
-
+from pwd import getpwnam
+from grp import getgrnam
 
 def create_directory(path):
     if not os.path.isdir(path):
@@ -639,6 +640,8 @@ class Server(object):
         self.verbose = options.verbose
         self.debug = options.debug
         self.logdir = options.logdir
+        self.chroot = options.chroot
+        self.setuid = options.setuid
         self.statedir = options.statedir
         self.name = socket.getfqdn()[:63]  # Server name limit from the RFC.
         self.channels = {}  # irc_lower(Channel name) --> Channel instance.
@@ -744,6 +747,14 @@ class Server(object):
             serversockets.append(s)
             del s
             self.print_info("Listening on port %d." % port)
+        if self.chroot:
+            os.chdir(self.chroot)
+            os.chroot(self.chroot)
+            self.print_info("Changed root directory to %s" % self.chroot)
+        if self.setuid:
+            os.setresgid(self.setuid[1],self.setuid[1],self.setuid[1])
+            os.setresuid(self.setuid[0],self.setuid[0],self.setuid[0])
+            self.print_info("Setting uid:gid to %s:%s" % (self.setuid[0], self.setuid[1]))
         last_aliveness_check = time.time()
         while True:
             (iwtd, owtd, ewtd) = select.select(
@@ -833,6 +844,16 @@ def main(argv):
         "--verbose",
         action="store_true",
         help="be verbose (print some progress messages to stdout)")
+    if os.name == "posix":
+        op.add_option(
+            "--chroot",
+            metavar="X",
+            help="Change filesystem root to directory X after startup (requires root)")
+        op.add_option(
+            "--setuid",
+            metavar="U[:G]",
+            help="Change process user (and optionally group) after startup (requires root)")
+
     (options, args) = op.parse_args(argv[1:])
     if options.debug:
         options.verbose = True
@@ -845,6 +866,20 @@ def main(argv):
             options.ports = "6667"
         else:
             options.ports = "6697"
+    if options.chroot:
+        if os.getuid() != 0:
+            op.error("Must be root to use --chroot")
+    if options.setids:
+        if os.getuid() != 0:
+            op.error("Must be root to use --setuid")
+        match = re.findall(r"([a-z_][a-z0-9_-]*[\$]?)", options.setids)
+
+        if len(match) > 1:
+            options.setids = (int(getpwnam(match[0]).pw_uid),int(getgrnam(match[1]).gr_gid))
+        elif len(match) == 1:
+            options.setids = (int(getpwnam(match[0]).pw_uid),int(getpwnam(match[0]).pw_gid))
+        else:
+            op.error("Specify a user, or user and group separated by a semicolon, e.g. --setuid daemon, --setuid nobody:nobody")
     ports = []
     for port in re.split(r"[,\s]+", options.ports):
         try:
author	Rezrov Frotz <rezrov.frotz@gmail.com>	2014-06-11 11:58:26 -0400
committer	Joel Rosdahl <joel@rosdahl.net>	2014-06-23 21:58:01 +0200
commit	5cc528c55d27d0e671f7ae99424c0fefb594bf3e (patch)
tree	7a4ce89aa0f9652c24e7f7768e9601ff8a0350d1 /miniircd
parent	c92708155459596b7b71c749b78c245799d5b503 (diff)
download	miniircd-5cc528c55d27d0e671f7ae99424c0fefb594bf3e.tar.gz miniircd-5cc528c55d27d0e671f7ae99424c0fefb594bf3e.zip