summaryrefslogtreecommitdiff
path: root/bgpd
diff options
context:
space:
mode:
Diffstat (limited to 'bgpd')
-rw-r--r--bgpd/Makefile.am2
-rw-r--r--bgpd/bgp_main.c26
-rw-r--r--bgpd/bgp_network.c25
3 files changed, 51 insertions, 2 deletions
diff --git a/bgpd/Makefile.am b/bgpd/Makefile.am
index 7f739f6e..0e549cc0 100644
--- a/bgpd/Makefile.am
+++ b/bgpd/Makefile.am
@@ -24,7 +24,7 @@ noinst_HEADERS = \
bgpd_SOURCES = \
bgp_main.c $(libbgp_a_SOURCES)
-bgpd_LDADD = ../lib/libzebra.a
+bgpd_LDADD = ../lib/libzebra.a @LIBCAP@
sysconf_DATA = bgpd.conf.sample bgpd.conf.sample2
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 70377914..3e1d80f6 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
#include "memory.h"
#include "prefix.h"
#include "log.h"
+#include "privs.h"
#include "bgpd/bgpd.h"
#include "bgpd/bgp_attr.h"
@@ -45,6 +46,7 @@ struct option longopts[] =
{ "vty_port", required_argument, NULL, 'P'},
{ "retain", no_argument, NULL, 'r'},
{ "no_kernel", no_argument, NULL, 'n'},
+ { "user", required_argument, NULL, 'u'},
{ "version", no_argument, NULL, 'v'},
{ "help", no_argument, NULL, 'h'},
{ 0 }
@@ -70,6 +72,23 @@ char *pid_file = PATH_BGPD_PID;
int vty_port = BGP_VTY_PORT;
char *vty_addr = NULL;
+/* privileges */
+zebra_capabilities_t _caps_p [] =
+{
+ ZCAP_BIND,
+};
+
+struct zebra_privs_t bgpd_privs =
+{
+#if defined(ZEBRA_USER) && defined(ZEBRA_GROUP)
+ .user = ZEBRA_USER,
+ .group = ZEBRA_GROUP,
+#endif
+ .caps_p = _caps_p,
+ .cap_num_p = sizeof(_caps_p)/sizeof(_caps_p[0]),
+ .cap_num_i = 0,
+};
+
/* Help information display. */
static void
usage (char *progname, int status)
@@ -89,6 +108,7 @@ redistribution between different routing protocols.\n\n\
-P, --vty_port Set vty's port number\n\
-r, --retain When program terminates, retain added route by bgpd.\n\
-n, --no_kernel Do not install route to kernel.\n\
+-u, --user User and group to run as\n\
-v, --version Print program version\n\
-h, --help Display this help and exit\n\
\n\
@@ -197,7 +217,7 @@ main (int argc, char **argv)
/* Command line argument treatment. */
while (1)
{
- opt = getopt_long (argc, argv, "df:hp:A:P:rnv", longopts, 0);
+ opt = getopt_long (argc, argv, "df:hp:A:P:rnu:v", longopts, 0);
if (opt == EOF)
break;
@@ -238,6 +258,9 @@ main (int argc, char **argv)
case 'n':
bgp_option_set (BGP_OPT_NO_FIB);
break;
+ case 'u':
+ bgpd_privs.user = bgpd_privs.group = optarg;
+ break;
case 'v':
print_version (progname);
exit (0);
@@ -257,6 +280,7 @@ main (int argc, char **argv)
/* Initializations. */
srand (time (NULL));
signal_init ();
+ zprivs_init (&bgpd_privs);
cmd_init (1);
vty_init ();
memory_init ();
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index 40e9cdb3..019b78b7 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -27,12 +27,16 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
#include "if.h"
#include "prefix.h"
#include "command.h"
+#include "privs.h"
#include "bgpd/bgpd.h"
#include "bgpd/bgp_fsm.h"
#include "bgpd/bgp_attr.h"
#include "bgpd/bgp_debug.h"
#include "bgpd/bgp_network.h"
+
+extern struct zebra_privs_t bgpd_privs;
+
/* Accept bgp connection. */
static int
@@ -153,9 +157,16 @@ bgp_bind_address (int sock, struct in_addr *addr)
#endif /* HAVE_SIN_LEN */
memcpy (&local.sin_addr, addr, sizeof (struct in_addr));
+ if ( bgpd_privs.change (ZPRIVS_RAISE) )
+ zlog_err ("bgp_bind_address: could not raise privs");
+
ret = bind (sock, (struct sockaddr *)&local, sizeof (struct sockaddr_in));
if (ret < 0)
;
+
+ if (bgpd_privs.change (ZPRIVS_LOWER) )
+ zlog_err ("bgp_bind_address: could not lower privs");
+
return 0;
}
@@ -306,6 +317,9 @@ bgp_socket (struct bgp *bgp, unsigned short port)
sockopt_reuseaddr (sock);
sockopt_reuseport (sock);
+
+ if (bgpd_privs.change (ZPRIVS_RAISE) )
+ zlog_err ("bgp_socket: could not raise privs");
ret = bind (sock, ainfo->ai_addr, ainfo->ai_addrlen);
if (ret < 0)
@@ -314,6 +328,10 @@ bgp_socket (struct bgp *bgp, unsigned short port)
close (sock);
continue;
}
+
+ if (bgpd_privs.change (ZPRIVS_LOWER) )
+ zlog_err ("bgp_bind_address: could not lower privs");
+
ret = listen (sock, 3);
if (ret < 0)
{
@@ -359,6 +377,9 @@ bgp_socket (struct bgp *bgp, unsigned short port)
sin.sin_len = socklen;
#endif /* HAVE_SIN_LEN */
+ if ( bgpd_privs.change (ZPRIVS_RAISE) )
+ zlog_err ("bgp_socket: could not raise privs");
+
ret = bind (sock, (struct sockaddr *) &sin, socklen);
if (ret < 0)
{
@@ -366,6 +387,10 @@ bgp_socket (struct bgp *bgp, unsigned short port)
close (sock);
return ret;
}
+
+ if (bgpd_privs.change (ZPRIVS_LOWER) )
+ zlog_err ("bgp_socket: could not lower privs");
+
ret = listen (sock, 3);
if (ret < 0)
{