drop root

2021-02-11 12:07:37 +01:00 · 2021-02-11 12:07:37 +01:00 · 3e41e4d9e5
commit 3e41e4d9e5
parent ee46e6871c
1 changed files with 15 additions and 1 deletions
--- a/sink/sink20169.c
+++ b/sink/sink20169.c
@ -315,6 +315,8 @@ void usage() {
    printf("  -v ............... Verbose, writes all logging on stdout too\n");
    printf("  -s FACILITY ...... Sets syslog facility, only LOCAL[0..7]\n");
    printf("                     USER and DAEMON are supported\n");
+    printf("  -n UID ........... If started as root drop privileges and become\n");
+    printf("                     user with id UID\n");
    printf("  -h ............... This help\n");
 }

@ -325,9 +327,10 @@ int main(int argc, char **argv) {


    const char *configFilename = DEFAULT_CONFIG_FILENAME;
+    uid_t dropPrivilegesToUID = 0;

    int c;
-    while ((c = getopt(argc, argv, "f:vs:h")) != -1) {
+    while ((c = getopt(argc, argv, "f:vs:hn:")) != -1) {
        switch (c) {
            case 'f':
                configFilename = strdup(optarg);
@ -338,6 +341,9 @@ int main(int argc, char **argv) {
            case 's':
                setfacility(optarg);
                break;
+            case 'n':
+                dropPrivilegesToUID = (uid_t) strtol(optarg, NULL, 10);
+                break;
            case 'h':
                usage();
                exit(0);
@ -345,6 +351,14 @@ int main(int argc, char **argv) {
        }
    }

+    if ((getuid() == 0) && (dropPrivilegesToUID != 0)) {
+        logmsg(LOG_INFO, "dropping root privileges");
+        if (setuid(dropPrivilegesToUID) != 0) {
+            logmsg(LOG_ERR, "unable to drop root privileges");
+            exit(-1);
+        }
+    }
+
    if (0 != initConfig(configFilename, &configHandle)) {
        logmsg(LOG_ERR, "error when reading configuration");
        exit(-1);