From ff31702f7440f1998313b74eb2d345cd5e2fd075 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Apr 2014 16:28:44 +0200 Subject: [PATCH] configure: add option to set default user The default user is root by default, which disables root dropping by default. The user directive or the -u option can still be used to set the user. --- chrony.texi.in | 12 +++++++----- chronyd.8.in | 5 +++-- conf.c | 2 +- configure | 9 ++++++++- main.c | 2 +- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/chrony.texi.in b/chrony.texi.in index 18fbf41..583d5ed 100644 --- a/chrony.texi.in +++ b/chrony.texi.in @@ -1028,8 +1028,9 @@ to work well, it relies on @code{chronyd} having been able to determine accurate statistics for the difference between the real time clock and system clock last time the computer was on. @item -u -When this option is used, chronyd will drop root privileges to the specified -user. So far, it works only on Linux when compiled with capabilities support. +This option sets the name of the user to which will @code{chronyd} switch to +drop root privileges if compiled with Linux capabilities support (default +@code{@DEFAULT_USER@}). @item -q When run in this mode, @code{chronyd} will set the system clock once and exit. It will not detach from the terminal. @@ -2958,10 +2959,11 @@ be set to run 0.183ppm faster than it would be without the compensation, etc. @node user directive @subsection user The @code{user} directive sets the name of the user to which will -@code{chronyd} drop root privileges after the initialisation. So far, it works -only on Linux when compiled with capabilities support. +@code{chronyd} switch on initialisation to drop root privileges. +So far, it works only on Linux when compiled with capabilities support. +Setting the name to root will disable it. -By default, root privileges are not dropped. +The default value is @code{@DEFAULT_USER@}. @c }}} @c }}} @c {{{ S:Running chronyc diff --git a/chronyd.8.in b/chronyd.8.in index 245388a..39a7623 100644 --- a/chronyd.8.in +++ b/chronyd.8.in @@ -103,8 +103,9 @@ between the real time clock and system clock last time the computer was on. .TP \fB\-u\fR \fIuser\fR -When this option is used, chronyd will drop root privileges to the specified -user. So far, it works only on Linux when compiled with capabilities support. +This option sets the name of the user to which will \fBchronyd\fR switch to +drop root privileges if compiled with Linux capabilities support (default +\fB@DEFAULT_USER@\fR). .TP .B \-q When run in this mode, chronyd will set the system clock once diff --git a/conf.c b/conf.c index 649e4b1..3a176e1 100644 --- a/conf.c +++ b/conf.c @@ -203,7 +203,7 @@ static int lock_memory = 0; static char *leapsec_tz = NULL; /* Name of the user to which will be dropped root privileges. */ -static char *user = NULL; +static char *user = DEFAULT_USER; typedef struct { NTP_Source_Type type; diff --git a/configure b/configure index 971e7e4..6bbe1e9 100755 --- a/configure +++ b/configure @@ -113,6 +113,7 @@ For better control, use the options below. --disable-rtc Don't include RTC even on Linux --disable-linuxcaps Disable Linux capabilities support --disable-forcednsretry Don't retry on permanent DNS error + --with-user=USER Specify default chronyd user [root] --with-sendmail=PATH Path to sendmail binary [/usr/lib/sendmail] --enable-debug Enable debugging support @@ -191,6 +192,7 @@ feat_pps=1 try_setsched=0 try_lockmem=0 feat_forcednsretry=1 +default_user="root" mail_program="/usr/lib/sendmail" for option @@ -268,6 +270,9 @@ do --disable-forcednsretry) feat_forcednsretry=0 ;; + --with-user=* ) + default_user=`echo $option | sed -e 's/^.*=//;'` + ;; --with-sendmail=* ) mail_program=`echo $option | sed -e 's/^.*=//;'` ;; @@ -618,6 +623,7 @@ fi add_def DEBUG $debug add_def DEFAULT_CONF_FILE "\"$SYSCONFDIR/chrony.conf\"" +add_def DEFAULT_USER "\"$default_user\"" add_def MAIL_PROGRAM "\"$mail_program\"" if [ -f version.txt ]; then @@ -649,7 +655,8 @@ do s%@MANDIR@%${MANDIR}%;\ s%@INFODIR@%${INFODIR}%;\ s%@LOCALSTATEDIR@%${LOCALSTATEDIR}%;\ - s%@CHRONYVARDIR@%${CHRONYVARDIR}%;"\ + s%@CHRONYVARDIR@%${CHRONYVARDIR}%;\ + s%@DEFAULT_USER@%${default_user}%;"\ < ${f}.in > $f done diff --git a/main.c b/main.c index 77d8d2d..e8daf33 100644 --- a/main.c +++ b/main.c @@ -466,7 +466,7 @@ int main if (!user) { user = CNF_GetUser(); } - if (user) { + if (user && strcmp(user, "root")) { SYS_DropRoot(user); }