warp-vpn

point to point VPN implementation
git clone git://git.2f30.org/warp-vpn
Log | Files | Refs | README

commit 30f0119c50248150d08503521b0720cad6139b52
parent bc3131cc03e573ebd79dbc9ed6867eb678c6bd2c
Author: sin <sin@2f30.org>
Date:   Tue, 29 Mar 2016 08:47:30 +0100

revoke privileges

Diffstat:
Mstun.c | 17+++++++++++++++++
1 file changed, 17 insertions(+), 0 deletions(-)

diff --git a/stun.c b/stun.c @@ -21,6 +21,7 @@ #include <errno.h> #include <fcntl.h> #include <poll.h> +#include <pwd.h> #include <signal.h> #include <stdarg.h> #include <stdio.h> @@ -41,6 +42,7 @@ #define explicit_bzero bzero #endif +#define NOPRIVUSER "nobody" #define CHALLENGETIMEO 1 /* in seconds */ #define RECONNECTTIMEO 60 /* in seconds */ #define HDRLEN 2 @@ -674,6 +676,20 @@ daemonize(void) } void +revokeprivs(void) +{ + struct passwd *pw; + + pw = getpwnam(NOPRIVUSER); + if (!pw) + logerr("no %s user", NOPRIVUSER); + if (setgroups(1, &pw->pw_gid) || + setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || + setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) + logerr("failed to revoke privs"); +} + +void usage(void) { fprintf(stderr, "usage: stun [-df] -s [-p port] [-t type] interface\n"); @@ -724,6 +740,7 @@ main(int argc, char *argv[]) openlog("stun", LOG_PID | LOG_NDELAY, LOG_DAEMON); devfd = opendev(argv[0]); + revokeprivs(); pw = getenv("STUNPW"); if (!pw)