diff src/common.c @ 36:1fe62a94c28a

Added option SETUID to drop privileges
author Ivo Smits <Ivo@UCIS.nl>
date Mon, 06 May 2013 21:28:05 +0200
parents a1ec0d6b6f13
children d9f5caa13898
line wrap: on
line diff
--- a/src/common.c	Mon May 06 18:05:07 2013 +0200
+++ b/src/common.c	Mon May 06 21:28:05 2013 +0200
@@ -27,6 +27,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <fcntl.h>
+#include <pwd.h>
 #ifndef HAVE_NETINET_IN_H
 #include <netinet/in.h>
 #endif
@@ -200,6 +201,18 @@
 	}
 }
 
+int drop_privileges() {
+	char* envval;
+	if (envval = getconf("SETUID")) {
+		if (setgroups(0, NULL) == -1) return errorexitp("setgroups");
+		struct passwd *pw = getpwnam(envval);
+		if (!pw) return errorexitp("getpwnam");
+		if (setgid(pw->pw_gid) == -1) return errorexitp("setgid");
+		if (setuid(pw->pw_uid) == -1) return errorexitp("setuid");
+	}
+	chdir("/");
+}
+
 int qtrun(struct qtproto* p) {
 	if (getconf("DEBUG")) debug = 1;
 	struct qtsession session;
@@ -216,6 +229,8 @@
 	session.protocol_data = &protocol_data;
 	if (p->init && p->init(&session) < 0) return -1;
 
+	if (drop_privileges() < 0) return -1;
+
 	fprintf(stderr, "The tunnel is now operational!\n");
 
 	struct pollfd fds[2];