emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Place the ifchange socket in /var/state/ifchange within the chroot

Browse Source 
jail and change configuration instructions as well.

Change default configuration instructions to specify setting root
of the chroot jail as owned by root.root.
This commit is contained in:
Nicholas J. Kain 2011-05-01 20:43:29 -04:00
parent b3f9115689
commit 59beb159d3
4 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README
View File

@ -1,4 +1,4 @@
ifchd, copyright (c) 2004-2010 Nicholas Kain. Licensed under GNU GPL. ifchd, copyright (c) 2004-2011 Nicholas Kain. Licensed under GNU GPL.
Requirements: Requirements:
@ -69,12 +69,17 @@ USAGE
b) Create the jail directory and set its ownership properly. b) Create the jail directory and set its ownership properly.
# mkdir /var/lib/ndhc # mkdir /var/lib/ndhc
# chown ifchd.ifchd /var/lib/ndhc # chown root.root /var/lib/ndhc
# chmod a+rx /var/lib/ndhc # chmod a+rx /var/lib/ndhc
# cd /var/lib/ndhc
# mkdir var
# mkdir var/state
# mkdir var/run
# chown -R ifchd.ifchd var
# chmod -R a+rx var
c) Create a urandom device for ndhc to use within the jail. c) Create a urandom device for ndhc to use within the jail.
# cd /var/lib/ndhc
# mkdir dev # mkdir dev
# mknod dev/urandom c 1 9 # mknod dev/urandom c 1 9
# mknod dev/null c 1 3 # mknod dev/null c 1 3
@ -140,17 +145,19 @@ when it chroots.
PORTING NOTES PORTING NOTES
------------- -------------
There are six major functions that ifchd depends upon that are not generally There are seven major functions that ifchd depends upon that are not generally
portable. First, it uses the SO_PEERCRED flag of getsockopt() to discriminate portable. First, it uses the SO_PEERCRED flag of getsockopt() to discriminate
authorized connections by uid, gid, and pid. Similar functionality exists in authorized connections by uid, gid, and pid. Similar functionality exists in
at least the BSDs; however, it has a different API. Second, ifchd takes at least the BSDs; however, it has a different API. Second, ifchd takes
advantage of Linux capabilities so that it does not need full root privileges. advantage of Linux capabilities so that it does not need full root privileges.
Capabilities are supposedly a POSIX feature, but in practice, they vary greatly Capabilities were a proposed POSIX feature that was not made part of the
from system to system. Third and fourth, ifchd configures network interfaces official standard, so any implemention that may exist will be system-dependent.
and routes. Interface and route configuration is entirely non-portable, Third and fourth, ifchd configures network interfaces and routes. Interface
usually requiring calls to the catch-all ioctl(), and will almost certainly and route configuration is entirely non-portable, usually requiring calls to
require platform-dependent code. Fifth and sixth, both ifchd and ndhc use the catch-all ioctl(), and will almost certainly require platform-dependent
epoll() and signalfd(), which are Linux-specific. code. Fifth and sixth, both ifchd and ndhc use epoll() and signalfd(), which
are Linux-specific. Seventh, ndhc uses netlink sockets extensively for
both fetching data and hardware link state change notification events.
Some standard C libraries include a native implementation of strlcpy() and Some standard C libraries include a native implementation of strlcpy() and
strlcat(). Such defines may conflict with my implementations in strl.c/strl.h. strlcat(). Such defines may conflict with my implementations in strl.c/strl.h.

1
ifchd/ifchd-defines.h
View File

@ -5,7 +5,6 @@
#define PID_FILE_DEFAULT "/var/run/ifchd.pid" #define PID_FILE_DEFAULT "/var/run/ifchd.pid"
#define IFCHD_VERSION "0.8" #define IFCHD_VERSION "0.8"
#define COMM_SOCKET_PATH "ifchange"
#define MAX_BUF 1024 #define MAX_BUF 1024
#define SOCK_QUEUE 2 #define SOCK_QUEUE 2
#define CONN_TIMEOUT 60 #define CONN_TIMEOUT 60

8
ifchd/ifchd.c
View File

@ -1,5 +1,5 @@
/* ifchd.c - interface change daemon /* ifchd.c - interface change daemon
* Time-stamp: <2011-04-30 07:26:54 nk> * Time-stamp: <2011-05-01 19:03:48 njk>
* *
* (C) 2004-2011 Nicholas J. Kain <njkain at gmail dot com> * (C) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
* *
@ -524,7 +524,7 @@ static int get_listen(void)
struct sockaddr_un lsock_addr = struct sockaddr_un lsock_addr =
{ {
.sun_family = AF_UNIX, .sun_family = AF_UNIX,
.sun_path = COMM_SOCKET_PATH .sun_path = "/var/state/ifchange"
}; };
lsock = socket(PF_UNIX, SOCK_STREAM, 0); lsock = socket(PF_UNIX, SOCK_STREAM, 0);
@ -533,11 +533,11 @@ static int get_listen(void)
fcntl(lsock, F_SETFL, O_NONBLOCK); fcntl(lsock, F_SETFL, O_NONBLOCK);
(void) unlink(COMM_SOCKET_PATH); (void) unlink("/var/state/ifchange");
ret = bind(lsock, (struct sockaddr *) &lsock_addr, sizeof(lsock_addr)); ret = bind(lsock, (struct sockaddr *) &lsock_addr, sizeof(lsock_addr));
if (ret) if (ret)
suicide("dispatch_work - failed to bind socket"); suicide("dispatch_work - failed to bind socket");
ret = chmod(COMM_SOCKET_PATH, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ret = chmod("/var/state/ifchange", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (ret) if (ret)
suicide("dispatch_work - failed to chmod socket"); suicide("dispatch_work - failed to chmod socket");
ret = listen(lsock, SOCK_QUEUE); ret = listen(lsock, SOCK_QUEUE);

4
ndhc/ifchange.c
View File

@ -1,5 +1,5 @@
/* ifchange.c - functions to call the interface change daemon /* ifchange.c - functions to call the interface change daemon
* Time-stamp: <2011-03-31 03:44:58 nk> * Time-stamp: <2011-05-01 19:04:06 njk>
* *
* (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com> * (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
* *
@ -143,7 +143,7 @@ static int open_ifch(void) {
int sockfd, ret; int sockfd, ret;
struct sockaddr_un address = { struct sockaddr_un address = {
.sun_family = AF_UNIX, .sun_family = AF_UNIX,
.sun_path = "ifchange" .sun_path = "/var/state/ifchange"
}; };
sockfd = socket(AF_UNIX, SOCK_STREAM, 0); sockfd = socket(AF_UNIX, SOCK_STREAM, 0);