From edda0c60b3df7910046d3d0f5325491319bd973f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Fri, 26 Apr 2013 17:35:58 +0200 Subject: [PATCH] Add user directive for dropping root privileges This is equivalent to the -u option. --- chrony.texi | 10 ++++++++++ conf.c | 22 ++++++++++++++++++++++ conf.h | 2 ++ main.c | 3 +++ 4 files changed, 37 insertions(+) diff --git a/chrony.texi b/chrony.texi index 94e8323..d0617c7 100644 --- a/chrony.texi +++ b/chrony.texi @@ -1219,6 +1219,7 @@ directives can occur in any order in the file. * stratumweight directive:: Specify how important is stratum when selecting source * lock_all directive:: Require that chronyd be locked into RAM. * tempcomp directive:: Specify temperature sensor and compensation coefficients +* user directive:: Specify user for dropping root privileges @end menu @c }}} @@ -2882,6 +2883,15 @@ every 30 seconds. When the temperature is 26 degress (26000), the system clock frequency will not be adjusted. When it is 27 degrees (27000), the clock will be set to run 0.183ppm faster than it would be without the compensation, etc. +@c }}} +@c {{{ user +@node user directive +@subsection user +The @code{user} directive sets the name of the user to which will +@code{chronyd} drop root privileges after the initialisation. So far, it works +only on Linux when compiled with capabilities support. + +By default, root privileges are not dropped. @c }}} @c }}} @c {{{ S:Running chronyc diff --git a/conf.c b/conf.c index 6136cb7..0d330e8 100644 --- a/conf.c +++ b/conf.c @@ -113,6 +113,7 @@ static void parse_lockall(const char *); static void parse_tempcomp(const char *); static void parse_include(const char *); static void parse_leapsectz(const char *); +static void parse_user(const char *); /* ================================================== */ /* Configuration variables */ @@ -229,6 +230,9 @@ static int lock_memory = 0; /* Name of a system timezone containing leap seconds occuring at midnight */ static char *leapsec_tz = NULL; +/* Name of the user to which will be dropped root privileges. */ +static char *user = NULL; + /* ================================================== */ typedef struct { @@ -284,6 +288,7 @@ static const Command commands[] = { {"leapsectz", 9, parse_leapsectz}, {"linux_hz", 8, parse_linux_hz}, {"linux_freq_scale", 16, parse_linux_freq_scale}, + {"user", 4, parse_user}, {"sched_priority", 14, parse_sched_priority}, {"lock_all", 8, parse_lockall} }; @@ -1343,6 +1348,16 @@ parse_linux_freq_scale(const char *line) /* ================================================== */ +static void +parse_user(const char *line) +{ + /* This must allocate enough space! */ + user = MallocArray(char, 1 + strlen(line)); + sscanf(line, "%s", user); +} + +/* ================================================== */ + void CNF_ProcessInitStepSlew(void (*after_hook)(void *), void *anything) { @@ -1797,3 +1812,10 @@ CNF_GetTempComp(char **file, double *interval, double *T0, double *k0, double *k *k2 = tempcomp_k2; } +/* ================================================== */ + +char * +CNF_GetUser(void) +{ + return user; +} diff --git a/conf.h b/conf.h index cbe15ed..68ea0e1 100644 --- a/conf.h +++ b/conf.h @@ -92,4 +92,6 @@ extern int CNF_GetLockMemory(void); extern void CNF_GetTempComp(char **file, double *interval, double *T0, double *k0, double *k1, double *k2); +extern char *CNF_GetUser(void); + #endif /* GOT_CONF_H */ diff --git a/main.c b/main.c index 6968ded..dd08ca2 100644 --- a/main.c +++ b/main.c @@ -394,6 +394,9 @@ int main SYS_LockMemory(); } + if (!user) { + user = CNF_GetUser(); + } if (user) { SYS_DropRoot(user); }