Place the ifchange socket in /var/state/ifchange within the chroot
jail and change configuration instructions as well. Change default configuration instructions to specify setting root of the chroot jail as owned by root.root.
This commit is contained in:
Nicholas J. Kain
parent
b3f9115689
commit
59beb159d3
27
README
27
README
@ -1,4 +1,4 @@
|
||||
ifchd, copyright (c) 2004-2010 Nicholas Kain. Licensed under GNU GPL.
|
||||
ifchd, copyright (c) 2004-2011 Nicholas Kain. Licensed under GNU GPL.
|
||||
|
||||
Requirements:
|
||||
|
||||
@ -69,12 +69,17 @@ USAGE
|
||||
b) Create the jail directory and set its ownership properly.
|
||||
|
||||
# mkdir /var/lib/ndhc
|
||||
# chown ifchd.ifchd /var/lib/ndhc
|
||||
# chown root.root /var/lib/ndhc
|
||||
# chmod a+rx /var/lib/ndhc
|
||||
# cd /var/lib/ndhc
|
||||
# mkdir var
|
||||
# mkdir var/state
|
||||
# mkdir var/run
|
||||
# chown -R ifchd.ifchd var
|
||||
# chmod -R a+rx var
|
||||
|
||||
c) Create a urandom device for ndhc to use within the jail.
|
||||
|
||||
# cd /var/lib/ndhc
|
||||
# mkdir dev
|
||||
# mknod dev/urandom c 1 9
|
||||
# mknod dev/null c 1 3
|
||||
@ -140,17 +145,19 @@ when it chroots.
|
||||
PORTING NOTES
|
||||
-------------
|
||||
|
||||
There are six major functions that ifchd depends upon that are not generally
|
||||
There are seven major functions that ifchd depends upon that are not generally
|
||||
portable. First, it uses the SO_PEERCRED flag of getsockopt() to discriminate
|
||||
authorized connections by uid, gid, and pid. Similar functionality exists in
|
||||
at least the BSDs; however, it has a different API. Second, ifchd takes
|
||||
advantage of Linux capabilities so that it does not need full root privileges.
|
||||
Capabilities are supposedly a POSIX feature, but in practice, they vary greatly
|
||||
from system to system. Third and fourth, ifchd configures network interfaces
|
||||
and routes. Interface and route configuration is entirely non-portable,
|
||||
usually requiring calls to the catch-all ioctl(), and will almost certainly
|
||||
require platform-dependent code. Fifth and sixth, both ifchd and ndhc use
|
||||
epoll() and signalfd(), which are Linux-specific.
|
||||
Capabilities were a proposed POSIX feature that was not made part of the
|
||||
official standard, so any implemention that may exist will be system-dependent.
|
||||
Third and fourth, ifchd configures network interfaces and routes. Interface
|
||||
and route configuration is entirely non-portable, usually requiring calls to
|
||||
the catch-all ioctl(), and will almost certainly require platform-dependent
|
||||
code. Fifth and sixth, both ifchd and ndhc use epoll() and signalfd(), which
|
||||
are Linux-specific. Seventh, ndhc uses netlink sockets extensively for
|
||||
both fetching data and hardware link state change notification events.
|
||||
|
||||
Some standard C libraries include a native implementation of strlcpy() and
|
||||
strlcat(). Such defines may conflict with my implementations in strl.c/strl.h.
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
|
||||
#define PID_FILE_DEFAULT "/var/run/ifchd.pid"
|
||||
#define IFCHD_VERSION "0.8"
|
||||
#define COMM_SOCKET_PATH "ifchange"
|
||||
#define MAX_BUF 1024
|
||||
#define SOCK_QUEUE 2
|
||||
#define CONN_TIMEOUT 60
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/* ifchd.c - interface change daemon
|
||||
* Time-stamp: <2011-04-30 07:26:54 nk>
|
||||
* Time-stamp: <2011-05-01 19:03:48 njk>
|
||||
*
|
||||
* (C) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
|
||||
*
|
||||
@ -524,7 +524,7 @@ static int get_listen(void)
|
||||
struct sockaddr_un lsock_addr =
|
||||
{
|
||||
.sun_family = AF_UNIX,
|
||||
.sun_path = COMM_SOCKET_PATH
|
||||
.sun_path = "/var/state/ifchange"
|
||||
};
|
||||
|
||||
lsock = socket(PF_UNIX, SOCK_STREAM, 0);
|
||||
@ -533,11 +533,11 @@ static int get_listen(void)
|
||||
|
||||
fcntl(lsock, F_SETFL, O_NONBLOCK);
|
||||
|
||||
(void) unlink(COMM_SOCKET_PATH);
|
||||
(void) unlink("/var/state/ifchange");
|
||||
ret = bind(lsock, (struct sockaddr *) &lsock_addr, sizeof(lsock_addr));
|
||||
if (ret)
|
||||
suicide("dispatch_work - failed to bind socket");
|
||||
ret = chmod(COMM_SOCKET_PATH, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
|
||||
ret = chmod("/var/state/ifchange", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
|
||||
if (ret)
|
||||
suicide("dispatch_work - failed to chmod socket");
|
||||
ret = listen(lsock, SOCK_QUEUE);
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/* ifchange.c - functions to call the interface change daemon
|
||||
* Time-stamp: <2011-03-31 03:44:58 nk>
|
||||
* Time-stamp: <2011-05-01 19:04:06 njk>
|
||||
*
|
||||
* (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
|
||||
*
|
||||
@ -143,7 +143,7 @@ static int open_ifch(void) {
|
||||
int sockfd, ret;
|
||||
struct sockaddr_un address = {
|
||||
.sun_family = AF_UNIX,
|
||||
.sun_path = "ifchange"
|
||||
.sun_path = "/var/state/ifchange"
|
||||
};
|
||||
|
||||
sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user