diff options
Diffstat (limited to 'bgpd')
-rw-r--r-- | bgpd/Makefile.am | 2 | ||||
-rw-r--r-- | bgpd/bgp_main.c | 26 | ||||
-rw-r--r-- | bgpd/bgp_network.c | 25 |
3 files changed, 51 insertions, 2 deletions
diff --git a/bgpd/Makefile.am b/bgpd/Makefile.am index 7f739f6e..0e549cc0 100644 --- a/bgpd/Makefile.am +++ b/bgpd/Makefile.am @@ -24,7 +24,7 @@ noinst_HEADERS = \ bgpd_SOURCES = \ bgp_main.c $(libbgp_a_SOURCES) -bgpd_LDADD = ../lib/libzebra.a +bgpd_LDADD = ../lib/libzebra.a @LIBCAP@ sysconf_DATA = bgpd.conf.sample bgpd.conf.sample2 diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 70377914..3e1d80f6 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "memory.h" #include "prefix.h" #include "log.h" +#include "privs.h" #include "bgpd/bgpd.h" #include "bgpd/bgp_attr.h" @@ -45,6 +46,7 @@ struct option longopts[] = { "vty_port", required_argument, NULL, 'P'}, { "retain", no_argument, NULL, 'r'}, { "no_kernel", no_argument, NULL, 'n'}, + { "user", required_argument, NULL, 'u'}, { "version", no_argument, NULL, 'v'}, { "help", no_argument, NULL, 'h'}, { 0 } @@ -70,6 +72,23 @@ char *pid_file = PATH_BGPD_PID; int vty_port = BGP_VTY_PORT; char *vty_addr = NULL; +/* privileges */ +zebra_capabilities_t _caps_p [] = +{ + ZCAP_BIND, +}; + +struct zebra_privs_t bgpd_privs = +{ +#if defined(ZEBRA_USER) && defined(ZEBRA_GROUP) + .user = ZEBRA_USER, + .group = ZEBRA_GROUP, +#endif + .caps_p = _caps_p, + .cap_num_p = sizeof(_caps_p)/sizeof(_caps_p[0]), + .cap_num_i = 0, +}; + /* Help information display. */ static void usage (char *progname, int status) @@ -89,6 +108,7 @@ redistribution between different routing protocols.\n\n\ -P, --vty_port Set vty's port number\n\ -r, --retain When program terminates, retain added route by bgpd.\n\ -n, --no_kernel Do not install route to kernel.\n\ +-u, --user User and group to run as\n\ -v, --version Print program version\n\ -h, --help Display this help and exit\n\ \n\ @@ -197,7 +217,7 @@ main (int argc, char **argv) /* Command line argument treatment. */ while (1) { - opt = getopt_long (argc, argv, "df:hp:A:P:rnv", longopts, 0); + opt = getopt_long (argc, argv, "df:hp:A:P:rnu:v", longopts, 0); if (opt == EOF) break; @@ -238,6 +258,9 @@ main (int argc, char **argv) case 'n': bgp_option_set (BGP_OPT_NO_FIB); break; + case 'u': + bgpd_privs.user = bgpd_privs.group = optarg; + break; case 'v': print_version (progname); exit (0); @@ -257,6 +280,7 @@ main (int argc, char **argv) /* Initializations. */ srand (time (NULL)); signal_init (); + zprivs_init (&bgpd_privs); cmd_init (1); vty_init (); memory_init (); diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c index 40e9cdb3..019b78b7 100644 --- a/bgpd/bgp_network.c +++ b/bgpd/bgp_network.c @@ -27,12 +27,16 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "if.h" #include "prefix.h" #include "command.h" +#include "privs.h" #include "bgpd/bgpd.h" #include "bgpd/bgp_fsm.h" #include "bgpd/bgp_attr.h" #include "bgpd/bgp_debug.h" #include "bgpd/bgp_network.h" + +extern struct zebra_privs_t bgpd_privs; + /* Accept bgp connection. */ static int @@ -153,9 +157,16 @@ bgp_bind_address (int sock, struct in_addr *addr) #endif /* HAVE_SIN_LEN */ memcpy (&local.sin_addr, addr, sizeof (struct in_addr)); + if ( bgpd_privs.change (ZPRIVS_RAISE) ) + zlog_err ("bgp_bind_address: could not raise privs"); + ret = bind (sock, (struct sockaddr *)&local, sizeof (struct sockaddr_in)); if (ret < 0) ; + + if (bgpd_privs.change (ZPRIVS_LOWER) ) + zlog_err ("bgp_bind_address: could not lower privs"); + return 0; } @@ -306,6 +317,9 @@ bgp_socket (struct bgp *bgp, unsigned short port) sockopt_reuseaddr (sock); sockopt_reuseport (sock); + + if (bgpd_privs.change (ZPRIVS_RAISE) ) + zlog_err ("bgp_socket: could not raise privs"); ret = bind (sock, ainfo->ai_addr, ainfo->ai_addrlen); if (ret < 0) @@ -314,6 +328,10 @@ bgp_socket (struct bgp *bgp, unsigned short port) close (sock); continue; } + + if (bgpd_privs.change (ZPRIVS_LOWER) ) + zlog_err ("bgp_bind_address: could not lower privs"); + ret = listen (sock, 3); if (ret < 0) { @@ -359,6 +377,9 @@ bgp_socket (struct bgp *bgp, unsigned short port) sin.sin_len = socklen; #endif /* HAVE_SIN_LEN */ + if ( bgpd_privs.change (ZPRIVS_RAISE) ) + zlog_err ("bgp_socket: could not raise privs"); + ret = bind (sock, (struct sockaddr *) &sin, socklen); if (ret < 0) { @@ -366,6 +387,10 @@ bgp_socket (struct bgp *bgp, unsigned short port) close (sock); return ret; } + + if (bgpd_privs.change (ZPRIVS_LOWER) ) + zlog_err ("bgp_socket: could not lower privs"); + ret = listen (sock, 3); if (ret < 0) { |