Add user directive for dropping root privileges
This is equivalent to the -u option.
This commit is contained in:
Miroslav Lichvar
parent
f2eb6b165a
commit
edda0c60b3
4 changed files with 37 additions and 0 deletions
10
chrony.texi
10
chrony.texi
|
|
@ -1219,6 +1219,7 @@ directives can occur in any order in the file.
|
|||
* stratumweight directive:: Specify how important is stratum when selecting source
|
||||
* lock_all directive:: Require that chronyd be locked into RAM.
|
||||
* tempcomp directive:: Specify temperature sensor and compensation coefficients
|
||||
* user directive:: Specify user for dropping root privileges
|
||||
|
||||
@end menu
|
||||
@c }}}
|
||||
|
|
@ -2882,6 +2883,15 @@ every 30 seconds. When the temperature is 26 degress (26000), the system clock
|
|||
frequency will not be adjusted. When it is 27 degrees (27000), the clock will
|
||||
be set to run 0.183ppm faster than it would be without the compensation, etc.
|
||||
|
||||
@c }}}
|
||||
@c {{{ user
|
||||
@node user directive
|
||||
@subsection user
|
||||
The @code{user} directive sets the name of the user to which will
|
||||
@code{chronyd} drop root privileges after the initialisation. So far, it works
|
||||
only on Linux when compiled with capabilities support.
|
||||
|
||||
By default, root privileges are not dropped.
|
||||
@c }}}
|
||||
@c }}}
|
||||
@c {{{ S:Running chronyc
|
||||
|
|
|
|||
22
conf.c
22
conf.c
|
|
@ -113,6 +113,7 @@ static void parse_lockall(const char *);
|
|||
static void parse_tempcomp(const char *);
|
||||
static void parse_include(const char *);
|
||||
static void parse_leapsectz(const char *);
|
||||
static void parse_user(const char *);
|
||||
|
||||
/* ================================================== */
|
||||
/* Configuration variables */
|
||||
|
|
@ -229,6 +230,9 @@ static int lock_memory = 0;
|
|||
/* Name of a system timezone containing leap seconds occuring at midnight */
|
||||
static char *leapsec_tz = NULL;
|
||||
|
||||
/* Name of the user to which will be dropped root privileges. */
|
||||
static char *user = NULL;
|
||||
|
||||
/* ================================================== */
|
||||
|
||||
typedef struct {
|
||||
|
|
@ -284,6 +288,7 @@ static const Command commands[] = {
|
|||
{"leapsectz", 9, parse_leapsectz},
|
||||
{"linux_hz", 8, parse_linux_hz},
|
||||
{"linux_freq_scale", 16, parse_linux_freq_scale},
|
||||
{"user", 4, parse_user},
|
||||
{"sched_priority", 14, parse_sched_priority},
|
||||
{"lock_all", 8, parse_lockall}
|
||||
};
|
||||
|
|
@ -1343,6 +1348,16 @@ parse_linux_freq_scale(const char *line)
|
|||
|
||||
/* ================================================== */
|
||||
|
||||
static void
|
||||
parse_user(const char *line)
|
||||
{
|
||||
/* This must allocate enough space! */
|
||||
user = MallocArray(char, 1 + strlen(line));
|
||||
sscanf(line, "%s", user);
|
||||
}
|
||||
|
||||
/* ================================================== */
|
||||
|
||||
void
|
||||
CNF_ProcessInitStepSlew(void (*after_hook)(void *), void *anything)
|
||||
{
|
||||
|
|
@ -1797,3 +1812,10 @@ CNF_GetTempComp(char **file, double *interval, double *T0, double *k0, double *k
|
|||
*k2 = tempcomp_k2;
|
||||
}
|
||||
|
||||
/* ================================================== */
|
||||
|
||||
char *
|
||||
CNF_GetUser(void)
|
||||
{
|
||||
return user;
|
||||
}
|
||||
|
|
|
|||
2
conf.h
2
conf.h
|
|
@ -92,4 +92,6 @@ extern int CNF_GetLockMemory(void);
|
|||
|
||||
extern void CNF_GetTempComp(char **file, double *interval, double *T0, double *k0, double *k1, double *k2);
|
||||
|
||||
extern char *CNF_GetUser(void);
|
||||
|
||||
#endif /* GOT_CONF_H */
|
||||
|
|
|
|||
3
main.c
3
main.c
|
|
@ -394,6 +394,9 @@ int main
|
|||
SYS_LockMemory();
|
||||
}
|
||||
|
||||
if (!user) {
|
||||
user = CNF_GetUser();
|
||||
}
|
||||
if (user) {
|
||||
SYS_DropRoot(user);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue