From 59beb159d3d71d0bff703f14db34677eb6854bce Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Sun, 1 May 2011 20:43:29 -0400
Subject: [PATCH] Place the ifchange socket in /var/state/ifchange within the
 chroot jail and change configuration instructions as well.

Change default configuration instructions to specify setting root
of the chroot jail as owned by root.root.
---
 README                | 27 +++++++++++++++++----------
 ifchd/ifchd-defines.h |  1 -
 ifchd/ifchd.c         |  8 ++++----
 ndhc/ifchange.c       |  4 ++--
 4 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/README b/README
index 31c7932..194c79e 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-ifchd, copyright (c) 2004-2010 Nicholas Kain.  Licensed under GNU GPL.
+ifchd, copyright (c) 2004-2011 Nicholas Kain.  Licensed under GNU GPL.
 
 Requirements:
 
@@ -69,12 +69,17 @@ USAGE
     b) Create the jail directory and set its ownership properly.
 
         # mkdir /var/lib/ndhc
-        # chown ifchd.ifchd /var/lib/ndhc
+        # chown root.root /var/lib/ndhc
         # chmod a+rx /var/lib/ndhc
+        # cd /var/lib/ndhc
+        # mkdir var
+        # mkdir var/state
+        # mkdir var/run
+        # chown -R ifchd.ifchd var
+        # chmod -R a+rx var
 
     c) Create a urandom device for ndhc to use within the jail.
 
-        # cd /var/lib/ndhc
         # mkdir dev
         # mknod dev/urandom c 1 9
         # mknod dev/null c 1 3
@@ -140,17 +145,19 @@ when it chroots.
 PORTING NOTES
 -------------
 
-There are six major functions that ifchd depends upon that are not generally
+There are seven major functions that ifchd depends upon that are not generally
 portable.  First, it uses the SO_PEERCRED flag of getsockopt() to discriminate
 authorized connections by uid, gid, and pid.  Similar functionality exists in
 at least the BSDs; however, it has a different API.  Second, ifchd takes
 advantage of Linux capabilities so that it does not need full root privileges.
-Capabilities are supposedly a POSIX feature, but in practice, they vary greatly
-from system to system.  Third and fourth, ifchd configures network interfaces
-and routes.  Interface and route configuration is entirely non-portable,
-usually requiring calls to the catch-all ioctl(), and will almost certainly
-require platform-dependent code.  Fifth and sixth, both ifchd and ndhc use
-epoll() and signalfd(), which are Linux-specific.
+Capabilities were a proposed POSIX feature that was not made part of the
+official standard, so any implemention that may exist will be system-dependent.
+Third and fourth, ifchd configures network interfaces and routes.  Interface
+and route configuration is entirely non-portable, usually requiring calls to
+the catch-all ioctl(), and will almost certainly require platform-dependent
+code.  Fifth and sixth, both ifchd and ndhc use epoll() and signalfd(), which
+are Linux-specific.  Seventh, ndhc uses netlink sockets extensively for
+both fetching data and hardware link state change notification events.
 
 Some standard C libraries include a native implementation of strlcpy() and
 strlcat().  Such defines may conflict with my implementations in strl.c/strl.h.
diff --git a/ifchd/ifchd-defines.h b/ifchd/ifchd-defines.h
index 5c66ab0..a62e43d 100644
--- a/ifchd/ifchd-defines.h
+++ b/ifchd/ifchd-defines.h
@@ -5,7 +5,6 @@
 
 #define PID_FILE_DEFAULT "/var/run/ifchd.pid"
 #define IFCHD_VERSION "0.8"
-#define COMM_SOCKET_PATH "ifchange"
 #define MAX_BUF 1024
 #define SOCK_QUEUE 2
 #define CONN_TIMEOUT 60
diff --git a/ifchd/ifchd.c b/ifchd/ifchd.c
index 3e6e825..01b562d 100755
--- a/ifchd/ifchd.c
+++ b/ifchd/ifchd.c
@@ -1,5 +1,5 @@
 /* ifchd.c - interface change daemon
- * Time-stamp: <2011-04-30 07:26:54 nk>
+ * Time-stamp: <2011-05-01 19:03:48 njk>
  *
  * (C) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
  *
@@ -524,7 +524,7 @@ static int get_listen(void)
     struct sockaddr_un lsock_addr =
     {
         .sun_family = AF_UNIX,
-        .sun_path = COMM_SOCKET_PATH
+        .sun_path = "/var/state/ifchange"
     };
 
     lsock = socket(PF_UNIX, SOCK_STREAM, 0);
@@ -533,11 +533,11 @@ static int get_listen(void)
 
     fcntl(lsock, F_SETFL, O_NONBLOCK);
 
-    (void) unlink(COMM_SOCKET_PATH);
+    (void) unlink("/var/state/ifchange");
     ret = bind(lsock, (struct sockaddr *) &lsock_addr, sizeof(lsock_addr));
     if (ret)
         suicide("dispatch_work - failed to bind socket");
-    ret = chmod(COMM_SOCKET_PATH, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+    ret = chmod("/var/state/ifchange", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
     if (ret)
         suicide("dispatch_work - failed to chmod socket");
     ret = listen(lsock, SOCK_QUEUE);
diff --git a/ndhc/ifchange.c b/ndhc/ifchange.c
index ef002da..123d7da 100755
--- a/ndhc/ifchange.c
+++ b/ndhc/ifchange.c
@@ -1,5 +1,5 @@
 /* ifchange.c - functions to call the interface change daemon
- * Time-stamp: <2011-03-31 03:44:58 nk>
+ * Time-stamp: <2011-05-01 19:04:06 njk>
  *
  * (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
  *
@@ -143,7 +143,7 @@ static int open_ifch(void) {
     int sockfd, ret;
     struct sockaddr_un address = {
         .sun_family = AF_UNIX,
-        .sun_path = "ifchange"
+        .sun_path = "/var/state/ifchange"
     };
 
     sockfd = socket(AF_UNIX, SOCK_STREAM, 0);