118 static void |
118 static void |
119 daemonize_init(char *arg) |
119 daemonize_init(char *arg) |
120 { |
120 { |
121 sigset_t set, oset; |
121 sigset_t set, oset; |
122 pid_t pid; |
122 pid_t pid; |
|
123 priv_set_t *pset = priv_allocset(); |
123 |
124 |
124 /* |
125 /* |
125 * Set effective sets privileges to 'least' required. If fails, send |
126 * Set effective sets privileges to 'least' required. If fails, send |
126 * error messages to log file and proceed. |
127 * error messages to log file and proceed. |
127 */ |
128 */ |
128 if (priv_set(PRIV_SET, PRIV_EFFECTIVE, |
129 if (pset != NULL) { |
129 PRIV_FILE_LINK_ANY, PRIV_PROC_INFO, PRIV_PROC_SESSION, |
130 priv_basicset(pset); |
130 PRIV_PROC_FORK, PRIV_PROC_EXEC, |
131 (void) priv_addset(pset, PRIV_PROC_AUDIT); |
131 PRIV_PROC_AUDIT, PRIV_PROC_SETID, PRIV_PROC_OWNER, PRIV_FILE_CHOWN, |
132 (void) priv_addset(pset, PRIV_PROC_SETID); |
132 PRIV_FILE_CHOWN_SELF, PRIV_FILE_DAC_READ, PRIV_FILE_DAC_SEARCH, |
133 (void) priv_addset(pset, PRIV_PROC_OWNER); |
133 PRIV_FILE_DAC_WRITE, PRIV_FILE_OWNER, PRIV_FILE_SETID, |
134 (void) priv_addset(pset, PRIV_FILE_CHOWN); |
134 PRIV_SYS_LINKDIR, PRIV_SYS_DEVICES, PRIV_SYS_MOUNT, PRIV_SYS_CONFIG, |
135 (void) priv_addset(pset, PRIV_FILE_CHOWN_SELF); |
135 NULL)) |
136 (void) priv_addset(pset, PRIV_FILE_DAC_READ); |
136 syslog(LOG_ERR, |
137 (void) priv_addset(pset, PRIV_FILE_DAC_SEARCH); |
137 "Failed to set least required privileges to the service."); |
138 (void) priv_addset(pset, PRIV_FILE_DAC_WRITE); |
|
139 (void) priv_addset(pset, PRIV_FILE_OWNER); |
|
140 (void) priv_addset(pset, PRIV_FILE_SETID); |
|
141 (void) priv_addset(pset, PRIV_SYS_LINKDIR); |
|
142 (void) priv_addset(pset, PRIV_SYS_DEVICES); |
|
143 (void) priv_addset(pset, PRIV_SYS_MOUNT); |
|
144 (void) priv_addset(pset, PRIV_SYS_CONFIG); |
|
145 } |
|
146 |
|
147 if (pset == NULL || setppriv(PRIV_SET, PRIV_EFFECTIVE, pset) != 0) { |
|
148 syslog(LOG_ERR, "Failed to set least required privileges to " |
|
149 "the service."); |
|
150 } |
|
151 priv_freeset(pset); |
138 |
152 |
139 /* |
153 /* |
140 * Block all signals prior to the fork and leave them blocked in the |
154 * Block all signals prior to the fork and leave them blocked in the |
141 * parent so we don't get in a situation where the parent gets SIGINT |
155 * parent so we don't get in a situation where the parent gets SIGINT |
142 * and returns non-zero exit status and the child is actually running. |
156 * and returns non-zero exit status and the child is actually running. |