client: New options for setting user and group identities.

diff --git a/client/tripectl.1.in b/client/tripectl.1.in
index 11fa6c94a5743411ef35c42707263d0939188abe..57061ae1125d543a04ca0ebbef4c479aa0712ba7 100644 (file)
--- a/client/tripectl.1.in
+++ b/client/tripectl.1.in
@@ -63,6 +63,10 @@ Options:
        \&
 .RB [ \-p
 .IR path ]
        \&
 .RB [ \-p
 .IR path ]

+.RB [ \-U
+.IR user ]
+.RB [ \-G
+.IR group ]

 .RB [ \-S
 .IB arg , arg ,\fR...]
 .
 .RB [ \-S
 .IB arg , arg ,\fR...]
 .


@@ -179,6 +183,31 @@ any passed automatically by
 (e.g.,
 .BR \-a ).
 .TP
 (e.g.,
 .BR \-a ).
 .TP

+.BI "\-U, \-\-setuid=" user
+Set uid to that of
+.I user
+(either a user name or integer uid) after initialization.  Also set gid
+to
+.IR user 's
+primary group, unless overridden by a
+.B \-G
+option.  If a new
+.BR tripe (8)
+server is going to be spawned then it is also passed corresponding
+.B \-U
+and
+.B \-G
+options.
+.TP
+.BI "\-G, \-\-setgid=" group
+Set gid to that of
+.I group
+(either a group name or integer gid) after initialization.  If a new
+.BR tripe (8)
+server is going to be spawned then it is also passed a corresponding
+.B \-G
+option.
+.TP

 .B "\-l, \-\-syslog"
 Send warnings and trace messages to the
 .BR syslog (8)
 .B "\-l, \-\-syslog"
 Send warnings and trace messages to the
 .BR syslog (8)

diff --git a/client/tripectl.c b/client/tripectl.c
index 133170475f5a9dd5095fc8767a7f21e54f8eed25..6a2f82ab265f5c0f4c29a7ef692d3b7e2dbc10fe 100644 (file)
--- a/client/tripectl.c
+++ b/client/tripectl.c
@@ -318,6 +318,8 @@ Options in full:\n\
 \n\
 -D, --daemon           Become a background task after connecting.\n\
 -d, --directory=DIR    Select current directory [default " CONFIGDIR "].\n\
 \n\
 -D, --daemon           Become a background task after connecting.\n\
 -d, --directory=DIR    Select current directory [default " CONFIGDIR "].\n\

+-U, --setuid=USER      Set uid to USER after initialization.\n\
+-G, --setgid=GROUP     Set gid to GROUP after initialization.\n\

 -a, --admin-socket=FILE        Select socket to connect to\n\
                          [default " SOCKETDIR "/tripesock].\n\
 -P, --pidfile=FILE     Write process-id to FILE.\n\
 -a, --admin-socket=FILE        Select socket to connect to\n\
                          [default " SOCKETDIR "/tripesock].\n\
 -P, --pidfile=FILE     Write process-id to FILE.\n\


@@ -340,6 +342,8 @@ int main(int argc, char *argv[])
   string_v spawnopts = DA_INIT;
   char *p;
   FILE *pidfp = 0;
   string_v spawnopts = DA_INIT;
   char *p;
   FILE *pidfp = 0;

+  uid_t u = -1;
+  gid_t g = -1;

 
   ego(argv[0]);
 
 
   ego(argv[0]);
 


@@ -356,6 +360,10 @@ int main(int argc, char *argv[])
       { "version",     0,              0,      'v' },
       { "usage",       0,              0,      'u' },
       { "daemon",      0,              0,      'D' },
       { "version",     0,              0,      'v' },
       { "usage",       0,              0,      'u' },
       { "daemon",      0,              0,      'D' },

+      { "uid",         OPTF_ARGREQ,    0,      'U' },
+      { "setuid",      OPTF_ARGREQ,    0,      'U' },
+      { "gid",         OPTF_ARGREQ,    0,      'G' },
+      { "setgid",      OPTF_ARGREQ,    0,      'G' },

       { "directory",   OPTF_ARGREQ,    0,      'd' },
       { "admin-socket",        OPTF_ARGREQ,    0,      'a' },
       { "spawn",       0,              0,      's' },
       { "directory",   OPTF_ARGREQ,    0,      'd' },
       { "admin-socket",        OPTF_ARGREQ,    0,      'a' },
       { "spawn",       0,              0,      's' },


@@ -368,7 +376,7 @@ int main(int argc, char *argv[])
       { 0,             0,              0,      0 }
     };
 
       { 0,             0,              0,      0 }
     };
 

-    int i = mdwopt(argc, argv, "+hvuDd:a:sp:S:lwf:nP:", opts, 0, 0, 0);
+    int i = mdwopt(argc, argv, "+hvuDU:G:d:a:sp:S:lwf:nP:", opts, 0, 0, 0);

     if (i < 0)
       break;
     switch (i) {
     if (i < 0)
       break;
     switch (i) {


@@ -384,6 +392,12 @@ int main(int argc, char *argv[])
       case 'D':
        f |= f_daemon | f_noinput;
        break;
       case 'D':
        f |= f_daemon | f_noinput;
        break;

+      case 'U':
+       u = u_getuser(optarg, &g);
+       break;
+      case 'G':
+       g = u_getgroup(optarg);
+       break;

       case 'd':
        dir = optarg;
        break;
       case 'd':
        dir = optarg;
        break;


@@ -461,6 +475,8 @@ int main(int argc, char *argv[])
     sigaction(SIGCHLD, &sa, 0);
 
     DA_PUSH(&spawnopts, 0);
     sigaction(SIGCHLD, &sa, 0);
 
     DA_PUSH(&spawnopts, 0);

+    if (g != (gid_t)-1) putarg(&spawnopts, "-G%lu", (unsigned long)g);
+    if (u != (uid_t)-1) putarg(&spawnopts, "-U%lu", (unsigned long)u);

     putarg(&spawnopts, "-a%s", sock);
     putarg(&spawnopts, "-d.");
     putarg(&spawnopts, "-F");
     putarg(&spawnopts, "-a%s", sock);
     putarg(&spawnopts, "-d.");
     putarg(&spawnopts, "-F");


@@ -504,6 +520,7 @@ int main(int argc, char *argv[])
     }
   }
 
     }
   }
 

+  u_setugid(u, g);

   if (f & f_daemon) {
     if (daemonize())
       die(EXIT_FAILURE, "error becoming daemon: %s", strerror(errno));
   if (f & f_daemon) {
     if (daemonize())
       die(EXIT_FAILURE, "error becoming daemon: %s", strerror(errno));

diff --git a/init/tripe-init.in b/init/tripe-init.in
index 439a740d37c07e4a3b70de6806c624ab7c3bd572..dfa7e0319b818c31e10c20f104e09b39a01e2db6 100755 (executable)
--- a/init/tripe-init.in
+++ b/init/tripe-init.in
@@ -122,8 +122,8 @@ case "$1" in
       ${keytag+-S-t}$keytag \
       ${addr+-S-b}$addr \
       ${port+-S-p}${port} \
       ${keytag+-S-t}$keytag \
       ${addr+-S-b}$addr \
       ${port+-S-p}${port} \

-      ${user+-S-U}${user} \
-      ${group+-S-G}${group} \
+      ${user+-U}${user} \
+      ${group+-G}${group} \

       ${trace+-S-T}${trace} \
       ${tunnel+-S-n}${tunnel} \
       ${miscopts}
       ${trace+-S-T}${trace} \
       ${tunnel+-S-n}${tunnel} \
       ${miscopts}