diff options
| author | shannonjr <shannonjr@pkgsrc.org> | 2006-05-26 11:43:42 +0000 |
|---|---|---|
| committer | shannonjr <shannonjr@pkgsrc.org> | 2006-05-26 11:43:42 +0000 |
| commit | f9aa6e877e587956d1f3173a86feb67c1d619871 (patch) | |
| tree | 96a8e8b339e1407088fba2ef696935ed91209328 | |
| parent | efc3c730933a2a21173ba7577bd7dd39161cbb10 (diff) | |
| download | pkgsrc-f9aa6e877e587956d1f3173a86feb67c1d619871.tar.gz | |
Added additional environment cleanup before exec'ing prelude-manager.
| -rw-r--r-- | security/prelude-manager/Makefile | 3 | ||||
| -rw-r--r-- | security/prelude-manager/files/run-prelude-manager.c | 21 |
2 files changed, 23 insertions, 1 deletions
diff --git a/security/prelude-manager/Makefile b/security/prelude-manager/Makefile index c8454cd224c..81f6cf2b7ee 100644 --- a/security/prelude-manager/Makefile +++ b/security/prelude-manager/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.7 2006/04/24 10:43:44 shannonjr Exp $ +# $NetBSD: Makefile,v 1.8 2006/05/26 11:43:42 shannonjr Exp $ # DISTNAME= prelude-manager-0.9.4.1 +PKGREVISION= 1 CATEGORIES= security MASTER_SITES= http://www.prelude-ids.org/download/releases/ diff --git a/security/prelude-manager/files/run-prelude-manager.c b/security/prelude-manager/files/run-prelude-manager.c index 1c28d5470ae..5e4a6e5fd0e 100644 --- a/security/prelude-manager/files/run-prelude-manager.c +++ b/security/prelude-manager/files/run-prelude-manager.c @@ -70,6 +70,7 @@ int main (int argc, char **argv ) pid_t pidwait; int waitstat; int maxfd; + int s; /* Sanity check */ if (argc > MAX_ARGS) @@ -78,6 +79,12 @@ int main (int argc, char **argv ) exit(-1); } + if (geteuid() != 0) + { + error_sys("must be called by root"); + exit(-1); + } + /* fork child that will become prelude-manager */ if ((pid = fork()) < 0) @@ -98,9 +105,23 @@ int main (int argc, char **argv ) /* Become session leader */ setsid(); + /* Change working directory to root directory. + The current working directory could be a mounted + filesystem; if the daemon stays on a mounted + filesystem it could prevent the filesystem from + being umounted. */ + chdir("/"); + /* Clear out file creation mask */ umask(0); + /* Close unneeded file descriptors */ + maxfd = (int) sysconf(_SC_OPEN_MAX); + if (maxfd == -1) + maxfd = getdtablesize(); + for (s = 3; s < maxfd; s++) + (void) close(s); + /* Increase limit on number of open file descriptors if necessary */ maxfd = fdlim_get(1); if (maxfd < 0) |