diff options
| author | Vsevolod Stakhov <vsevolod@rambler-co.ru> | 2011-11-30 19:32:25 +0300 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@rambler-co.ru> | 2011-11-30 19:32:25 +0300 |
| commit | 51d40c08d3d3ed80f84e15c72f4b71b9865cb7b6 (patch) | |
| tree | 531c93d5e9034e71d3c0f48cf06d46f9a644652b | |
| parent | 997d0bc5a657aa481166d58aa4cb2620ba6b67c0 (diff) | |
| download | rspamd-51d40c08d3d3ed80f84e15c72f4b71b9865cb7b6.tar.gz rspamd-51d40c08d3d3ed80f84e15c72f4b71b9865cb7b6.zip | |
Add -i flag allowing to run workers as root.
| -rw-r--r-- | src/main.c | 42 | ||||
| -rw-r--r-- | src/util.c | 5 |
2 files changed, 32 insertions, 15 deletions
diff --git a/src/main.c b/src/main.c index 03d3839cd..e16d9d5e0 100644 --- a/src/main.c +++ b/src/main.c @@ -66,6 +66,7 @@ static gchar *rspamd_pidfile = NULL; static gboolean dump_vars = FALSE; static gboolean dump_cache = FALSE; static gboolean is_debug = FALSE; +static gboolean is_insecure = FALSE; /* List of workers that are pending to start */ static GList *workers_pending = NULL; @@ -87,6 +88,7 @@ static GOptionEntry entries[] = { "dump-vars", 'V', 0, G_OPTION_ARG_NONE, &dump_vars, "Print all rspamd variables and exit", NULL }, { "dump-cache", 'C', 0, G_OPTION_ARG_NONE, &dump_cache, "Dump symbols cache stats and exit", NULL }, { "debug", 'd', 0, G_OPTION_ARG_NONE, &is_debug, "Force debug output", NULL }, + { "insecure", 'i', 0, G_OPTION_ARG_NONE, &is_insecure, "Ignore running workers as privileged users (insecure)", NULL }, { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL } }; @@ -202,26 +204,35 @@ detect_priv (struct rspamd_main *rspamd) euid = geteuid (); if (euid == 0) { - if (!rspamd->cfg->rspamd_user) { - msg_err ("cannot run rspamd workers as root user, please add -u and -g options to select a proper unprivilleged user"); + if (!rspamd->cfg->rspamd_user && !is_insecure) { + msg_err ("cannot run rspamd workers as root user, please add -u and -g options to select a proper unprivilleged user or specify --insecure flag"); exit (EXIT_FAILURE); } - - rspamd->is_privilleged = TRUE; - pwd = getpwnam (rspamd->cfg->rspamd_user); - if (pwd == NULL) { - msg_err ("user specified does not exists (%s), aborting", strerror (errno)); - exit (-errno); + else if (is_insecure) { + rspamd->is_privilleged = TRUE; + rspamd->workers_uid = 0; + rspamd->workers_gid = 0; } - if (rspamd->cfg->rspamd_group) { - grp = getgrnam (rspamd->cfg->rspamd_group); - if (grp == NULL) { - msg_err ("group specified does not exists (%s), aborting", strerror (errno)); + else { + rspamd->is_privilleged = TRUE; + pwd = getpwnam (rspamd->cfg->rspamd_user); + if (pwd == NULL) { + msg_err ("user specified does not exists (%s), aborting", strerror (errno)); exit (-errno); } - rspamd->workers_gid = grp->gr_gid; + if (rspamd->cfg->rspamd_group) { + grp = getgrnam (rspamd->cfg->rspamd_group); + if (grp == NULL) { + msg_err ("group specified does not exists (%s), aborting", strerror (errno)); + exit (-errno); + } + rspamd->workers_gid = grp->gr_gid; + } + else { + rspamd->workers_gid = -1; + } + rspamd->workers_uid = pwd->pw_uid; } - rspamd->workers_uid = pwd->pw_uid; } else { rspamd->is_privilleged = FALSE; @@ -238,7 +249,8 @@ drop_priv (struct rspamd_main *rspamd) msg_err ("cannot setgid to %d (%s), aborting", (gint)rspamd->workers_gid, strerror (errno)); exit (-errno); } - if (initgroups (rspamd->cfg->rspamd_user, rspamd->workers_gid) == -1) { + if (rspamd->cfg->rspamd_user && + initgroups (rspamd->cfg->rspamd_user, rspamd->workers_gid) == -1) { msg_err ("initgroups failed (%s), aborting", strerror (errno)); exit (-errno); } diff --git a/src/util.c b/src/util.c index 0fe899fe0..4d2665f6b 100644 --- a/src/util.c +++ b/src/util.c @@ -408,6 +408,11 @@ write_pid (struct rspamd_main *main) return -1; } + if (main->is_privilleged) { + /* Force root user as owner of pid file */ + fchown (main->pfh->pf_fd, 0, 0); + } + rspamd_pidfile_write (main->pfh); return 0; |