main: open cmdmon and NTP internet sockets before dropping root
Call the CAM, NIO, NCR initialization functions and setup the access restrictions before root is dropped. This will be needed on NetBSD, where it's not possible to bind sockets to privileged ports without the root privileges. Split the creation of the Unix domain command socket from the CAM initialization to keep the chrony user as the owner of the socket.
This commit is contained in:
Miroslav Lichvar
parent
c0867b58f5
commit
8854c00d48
3 changed files with 23 additions and 11 deletions
16
cmdmon.c
16
cmdmon.c
|
|
@ -267,10 +267,7 @@ CAM_Initialise(int family)
|
|||
assert(command_length == 0 || command_length >= offsetof(CMD_Reply, data));
|
||||
}
|
||||
|
||||
if (CNF_GetBindCommandPath()[0])
|
||||
sock_fdu = prepare_socket(AF_UNIX, 0);
|
||||
else
|
||||
sock_fdu = -1;
|
||||
sock_fdu = -1;
|
||||
|
||||
port_number = CNF_GetCommandPort();
|
||||
|
||||
|
|
@ -328,6 +325,17 @@ CAM_Finalise(void)
|
|||
|
||||
/* ================================================== */
|
||||
|
||||
void
|
||||
CAM_OpenUnixSocket(void)
|
||||
{
|
||||
/* This is separated from CAM_Initialise() as it needs to be called when
|
||||
the process has already dropped the root privileges */
|
||||
if (CNF_GetBindCommandPath()[0])
|
||||
sock_fdu = prepare_socket(AF_UNIX, 0);
|
||||
}
|
||||
|
||||
/* ================================================== */
|
||||
|
||||
static void
|
||||
transmit_reply(CMD_Reply *msg, union sockaddr_all *where_to)
|
||||
{
|
||||
|
|
|
|||
1
cmdmon.h
1
cmdmon.h
|
|
@ -33,6 +33,7 @@ extern void CAM_Initialise(int family);
|
|||
|
||||
extern void CAM_Finalise(void);
|
||||
|
||||
extern void CAM_OpenUnixSocket(void);
|
||||
extern int CAM_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all);
|
||||
extern int CAM_CheckAccessRestriction(IPAddr *ip_addr);
|
||||
|
||||
|
|
|
|||
17
main.c
17
main.c
|
|
@ -95,10 +95,10 @@ MAI_CleanupAndExit(void)
|
|||
MNL_Finalise();
|
||||
CLG_Finalise();
|
||||
NSR_Finalise();
|
||||
NCR_Finalise();
|
||||
CAM_Finalise();
|
||||
NIO_Finalise();
|
||||
SST_Finalise();
|
||||
NCR_Finalise();
|
||||
NIO_Finalise();
|
||||
CAM_Finalise();
|
||||
KEY_Finalise();
|
||||
RCL_Finalise();
|
||||
SRC_Finalise();
|
||||
|
|
@ -474,6 +474,12 @@ int main
|
|||
RCL_Initialise();
|
||||
KEY_Initialise();
|
||||
|
||||
/* Open privileged ports before dropping root */
|
||||
CAM_Initialise(address_family);
|
||||
NIO_Initialise(address_family);
|
||||
NCR_Initialise();
|
||||
CNF_SetupAccessRestrictions();
|
||||
|
||||
/* Command-line switch must have priority */
|
||||
if (!sched_priority) {
|
||||
sched_priority = CNF_GetSchedPriority();
|
||||
|
|
@ -502,9 +508,6 @@ int main
|
|||
|
||||
REF_Initialise();
|
||||
SST_Initialise();
|
||||
NIO_Initialise(address_family);
|
||||
CAM_Initialise(address_family);
|
||||
NCR_Initialise();
|
||||
NSR_Initialise();
|
||||
CLG_Initialise();
|
||||
MNL_Initialise();
|
||||
|
|
@ -514,7 +517,7 @@ int main
|
|||
/* From now on, it is safe to do finalisation on exit */
|
||||
initialised = 1;
|
||||
|
||||
CNF_SetupAccessRestrictions();
|
||||
CAM_OpenUnixSocket();
|
||||
|
||||
if (ref_mode == REF_ModeNormal && CNF_GetInitSources() > 0) {
|
||||
ref_mode = REF_ModeInitStepSlew;
|
||||
|
|
|
|||
Loading…
Reference in a new issue