sites

public wiki contents of suckless.org
git clone git://git.suckless.org/sites
Log | Files | Refs

quark-noroot-20191003-3c7049e.diff (5193B)


      1 From d91f68b56a4fd673786e9e4df0088642f3b186ff Mon Sep 17 00:00:00 2001
      2 From: codesoap <codesoap@mailbox.org>
      3 Date: Thu, 3 Oct 2019 17:00:49 +0200
      4 Subject: [PATCH] patch: noroot
      5 
      6 Don't require or allow root to run quark.
      7 ---
      8  main.c  | 50 ++------------------------------------------------
      9  quark.1 | 13 +------------
     10  sock.c  |  7 +------
     11  sock.h  |  2 +-
     12  4 files changed, 5 insertions(+), 67 deletions(-)
     13 
     14 diff --git a/main.c b/main.c
     15 index c1ff489..583e343 100644
     16 --- a/main.c
     17 +++ b/main.c
     18 @@ -1,9 +1,7 @@
     19  /* See LICENSE file for copyright and license details. */
     20  #include <errno.h>
     21 -#include <grp.h>
     22  #include <limits.h>
     23  #include <netinet/in.h>
     24 -#include <pwd.h>
     25  #include <regex.h>
     26  #include <signal.h>
     27  #include <sys/resource.h>
     28 @@ -163,7 +161,7 @@ err:
     29  static void
     30  usage(void)
     31  {
     32 -	const char *opts = "[-u user] [-g group] [-n num] [-d dir] [-l] "
     33 +	const char *opts = "[-n num] [-d dir] [-l] "
     34  	                   "[-i file] [-v vhost] ... [-m map] ...";
     35  
     36  	die("usage: %s -h host -p port %s\n"
     37 @@ -174,8 +172,6 @@ usage(void)
     38  int
     39  main(int argc, char *argv[])
     40  {
     41 -	struct group *grp = NULL;
     42 -	struct passwd *pwd = NULL;
     43  	struct rlimit rlim;
     44  	struct sockaddr_storage in_sa;
     45  	pid_t cpid, wpid, spid;
     46 @@ -188,8 +184,6 @@ main(int argc, char *argv[])
     47  	/* defaults */
     48  	int maxnprocs = 512;
     49  	char *servedir = ".";
     50 -	char *user = "nobody";
     51 -	char *group = "nogroup";
     52  
     53  	s.host = s.port = NULL;
     54  	s.vhost = NULL;
     55 @@ -202,9 +196,6 @@ main(int argc, char *argv[])
     56  	case 'd':
     57  		servedir = EARGF(usage());
     58  		break;
     59 -	case 'g':
     60 -		group = EARGF(usage());
     61 -		break;
     62  	case 'h':
     63  		s.host = EARGF(usage());
     64  		break;
     65 @@ -241,9 +232,6 @@ main(int argc, char *argv[])
     66  	case 'U':
     67  		udsname = EARGF(usage());
     68  		break;
     69 -	case 'u':
     70 -		user = EARGF(usage());
     71 -		break;
     72  	case 'v':
     73  		if (spacetok(EARGF(usage()), tok, 4) || !tok[0] || !tok[1] ||
     74  		    !tok[2]) {
     75 @@ -291,25 +279,13 @@ main(int argc, char *argv[])
     76  		die("setrlimit RLIMIT_NPROC:");
     77  	}
     78  
     79 -	/* validate user and group */
     80 -	errno = 0;
     81 -	if (user && !(pwd = getpwnam(user))) {
     82 -		die("getpwnam '%s': %s", user, errno ? strerror(errno) :
     83 -		    "Entry not found");
     84 -	}
     85 -	errno = 0;
     86 -	if (group && !(grp = getgrnam(group))) {
     87 -		die("getgrnam '%s': %s", group, errno ? strerror(errno) :
     88 -		    "Entry not found");
     89 -	}
     90 -
     91  	/* Open a new process group */
     92  	setpgid(0,0);
     93  
     94  	handlesignals(sigcleanup);
     95  
     96  	/* bind socket */
     97 -	insock = udsname ? sock_get_uds(udsname, pwd->pw_uid, grp->gr_gid) :
     98 +	insock = udsname ? sock_get_uds(udsname) :
     99  	                   sock_get_ips(s.host, s.port);
    100  
    101  	switch (cpid = fork()) {
    102 @@ -329,24 +305,9 @@ main(int argc, char *argv[])
    103  		eunveil(servedir, "r");
    104  		eunveil(NULL, NULL);
    105  
    106 -		/* chroot */
    107  		if (chdir(servedir) < 0) {
    108  			die("chdir '%s':", servedir);
    109  		}
    110 -		if (chroot(".") < 0) {
    111 -			die("chroot .:");
    112 -		}
    113 -
    114 -		/* drop root */
    115 -		if (grp && setgroups(1, &(grp->gr_gid)) < 0) {
    116 -			die("setgroups:");
    117 -		}
    118 -		if (grp && setgid(grp->gr_gid) < 0) {
    119 -			die("setgid:");
    120 -		}
    121 -		if (pwd && setuid(pwd->pw_uid) < 0) {
    122 -			die("setuid:");
    123 -		}
    124  
    125  		if (udsname) {
    126  			epledge("stdio rpath proc unix", NULL);
    127 @@ -354,13 +315,6 @@ main(int argc, char *argv[])
    128  			epledge("stdio rpath proc inet", NULL);
    129  		}
    130  
    131 -		if (getuid() == 0) {
    132 -			die("Won't run as root user", argv0);
    133 -		}
    134 -		if (getgid() == 0) {
    135 -			die("Won't run as root group", argv0);
    136 -		}
    137 -
    138  		/* accept incoming connections */
    139  		while (1) {
    140  			in_sa_len = sizeof(in_sa);
    141 diff --git a/quark.1 b/quark.1
    142 index ce315b5..e45140c 100644
    143 --- a/quark.1
    144 +++ b/quark.1
    145 @@ -35,13 +35,8 @@ is a simple HTTP GET/HEAD-only web server for static content.
    146  .It Fl d Ar dir
    147  Serve
    148  .Ar dir
    149 -after chrooting into it.
    150 +after changing into it.
    151  The default is ".".
    152 -.It Fl g Ar group
    153 -Set group ID when dropping privileges, and in socket mode the group of the
    154 -socket file, to the ID of
    155 -.Ar group .
    156 -The default is "nogroup".
    157  .It Fl h Ar host
    158  Use
    159  .Ar host
    160 @@ -86,12 +81,6 @@ redirects on non-standard ports.
    161  Create the UNIX-domain socket
    162  .Ar file ,
    163  listen on it for incoming connections and remove it on exit.
    164 -.It Fl u Ar user
    165 -Set user ID when dropping privileges,
    166 -and in socket mode the user of the socket file,
    167 -to the ID of
    168 -.Ar user .
    169 -The default is "nobody".
    170  .It Fl v Ar vhost
    171  Add the virtual host specified by
    172  .Ar vhost ,
    173 diff --git a/sock.c b/sock.c
    174 index 7000738..31960c5 100644
    175 --- a/sock.c
    176 +++ b/sock.c
    177 @@ -68,7 +68,7 @@ sock_rem_uds(const char *udsname)
    178  }
    179  
    180  int
    181 -sock_get_uds(const char *udsname, uid_t uid, gid_t gid)
    182 +sock_get_uds(const char *udsname)
    183  {
    184  	struct sockaddr_un addr = {
    185  		.sun_family = AF_UNIX,
    186 @@ -99,11 +99,6 @@ sock_get_uds(const char *udsname, uid_t uid, gid_t gid)
    187  		die("chmod:");
    188  	}
    189  
    190 -	if (chown(udsname, uid, gid) < 0) {
    191 -		sock_rem_uds(udsname);
    192 -		die("chown:");
    193 -	}
    194 -
    195  	return insock;
    196  }
    197  
    198 diff --git a/sock.h b/sock.h
    199 index a39aec9..4f790f6 100644
    200 --- a/sock.h
    201 +++ b/sock.h
    202 @@ -8,7 +8,7 @@
    203  
    204  int sock_get_ips(const char *, const char *);
    205  void sock_rem_uds(const char *);
    206 -int sock_get_uds(const char *, uid_t, gid_t);
    207 +int sock_get_uds(const char *);
    208  int sock_set_timeout(int, int);
    209  int sock_get_inaddr_str(struct sockaddr_storage *, char *, size_t);
    210  
    211 -- 
    212 2.21.0
    213