| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: ntpd.c,v 1.1.1.1 2009/12/13 16:56:15 kardel Exp $ */ | | 1 | /* $NetBSD: ntpd.c,v 1.2 2009/12/14 00:42:47 christos Exp $ */ |
2 | | | 2 | |
3 | /* | | 3 | /* |
4 | * ntpd.c - main program for the fixed point NTP daemon | | 4 | * ntpd.c - main program for the fixed point NTP daemon |
5 | */ | | 5 | */ |
6 | | | 6 | |
7 | #ifdef HAVE_CONFIG_H | | 7 | #ifdef HAVE_CONFIG_H |
8 | # include <config.h> | | 8 | # include <config.h> |
9 | #endif | | 9 | #endif |
10 | | | 10 | |
11 | #include "ntp_machine.h" | | 11 | #include "ntp_machine.h" |
12 | #include "ntpd.h" | | 12 | #include "ntpd.h" |
13 | #include "ntp_io.h" | | 13 | #include "ntp_io.h" |
14 | #include "ntp_stdlib.h" | | 14 | #include "ntp_stdlib.h" |
| @@ -167,28 +167,28 @@ int nofork = 0; /* Fork by default */ | | | @@ -167,28 +167,28 @@ int nofork = 0; /* Fork by default */ |
167 | * mDNS registration flag. If set, we attempt to register with the mDNS system, but only | | 167 | * mDNS registration flag. If set, we attempt to register with the mDNS system, but only |
168 | * after we have synched the first time. If the attempt fails, then try again once per | | 168 | * after we have synched the first time. If the attempt fails, then try again once per |
169 | * minute for up to 5 times. After all, we may be starting before mDNS. | | 169 | * minute for up to 5 times. After all, we may be starting before mDNS. |
170 | */ | | 170 | */ |
171 | int mdnsreg = 1; | | 171 | int mdnsreg = 1; |
172 | int mdnstries = 5; | | 172 | int mdnstries = 5; |
173 | #endif /* HAVE_DNSREGISTRATION */ | | 173 | #endif /* HAVE_DNSREGISTRATION */ |
174 | | | 174 | |
175 | #ifdef HAVE_DROPROOT | | 175 | #ifdef HAVE_DROPROOT |
176 | int droproot = 0; | | 176 | int droproot = 0; |
177 | char *user = NULL; /* User to switch to */ | | 177 | char *user = NULL; /* User to switch to */ |
178 | char *group = NULL; /* group to switch to */ | | 178 | char *group = NULL; /* group to switch to */ |
179 | const char *chrootdir = NULL; /* directory to chroot to */ | | 179 | const char *chrootdir = NULL; /* directory to chroot to */ |
180 | int sw_uid; | | 180 | uid_t sw_uid; |
181 | int sw_gid; | | 181 | gid_t sw_gid; |
182 | char *endp; | | 182 | char *endp; |
183 | struct group *gr; | | 183 | struct group *gr; |
184 | struct passwd *pw; | | 184 | struct passwd *pw; |
185 | #endif /* HAVE_DROPROOT */ | | 185 | #endif /* HAVE_DROPROOT */ |
186 | | | 186 | |
187 | /* | | 187 | /* |
188 | * Initializing flag. All async routines watch this and only do their | | 188 | * Initializing flag. All async routines watch this and only do their |
189 | * thing when it is clear. | | 189 | * thing when it is clear. |
190 | */ | | 190 | */ |
191 | int initializing; | | 191 | int initializing; |
192 | | | 192 | |
193 | /* | | 193 | /* |
194 | * Version declaration | | 194 | * Version declaration |
| @@ -952,26 +952,30 @@ getgroup: | | | @@ -952,26 +952,30 @@ getgroup: |
952 | } | | 952 | } |
953 | if (user && initgroups(user, sw_gid)) { | | 953 | if (user && initgroups(user, sw_gid)) { |
954 | msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); | | 954 | msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); |
955 | exit (-1); | | 955 | exit (-1); |
956 | } | | 956 | } |
957 | if (group && setgid(sw_gid)) { | | 957 | if (group && setgid(sw_gid)) { |
958 | msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); | | 958 | msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); |
959 | exit (-1); | | 959 | exit (-1); |
960 | } | | 960 | } |
961 | if (group && setegid(sw_gid)) { | | 961 | if (group && setegid(sw_gid)) { |
962 | msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); | | 962 | msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); |
963 | exit (-1); | | 963 | exit (-1); |
964 | } | | 964 | } |
| | | 965 | if (group) |
| | | 966 | setgroups(1, &sw_gid); |
| | | 967 | else |
| | | 968 | initgroups(pw->pw_name, pw->pw_gid); |
965 | if (user && setuid(sw_uid)) { | | 969 | if (user && setuid(sw_uid)) { |
966 | msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); | | 970 | msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); |
967 | exit (-1); | | 971 | exit (-1); |
968 | } | | 972 | } |
969 | if (user && seteuid(sw_uid)) { | | 973 | if (user && seteuid(sw_uid)) { |
970 | msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); | | 974 | msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); |
971 | exit (-1); | | 975 | exit (-1); |
972 | } | | 976 | } |
973 | | | 977 | |
974 | #ifndef HAVE_LINUX_CAPABILITIES | | 978 | #ifndef HAVE_LINUX_CAPABILITIES |
975 | /* | | 979 | /* |
976 | * for now assume that the privilege to bind to privileged ports | | 980 | * for now assume that the privilege to bind to privileged ports |
977 | * is associated with running with uid 0 - should be refined on | | 981 | * is associated with running with uid 0 - should be refined on |