quark-noroot-20191003-3c7049e.diff (5193B)
1 From d91f68b56a4fd673786e9e4df0088642f3b186ff Mon Sep 17 00:00:00 2001 2 From: codesoap <codesoap@mailbox.org> 3 Date: Thu, 3 Oct 2019 17:00:49 +0200 4 Subject: [PATCH] patch: noroot 5 6 Don't require or allow root to run quark. 7 --- 8 main.c | 50 ++------------------------------------------------ 9 quark.1 | 13 +------------ 10 sock.c | 7 +------ 11 sock.h | 2 +- 12 4 files changed, 5 insertions(+), 67 deletions(-) 13 14 diff --git a/main.c b/main.c 15 index c1ff489..583e343 100644 16 --- a/main.c 17 +++ b/main.c 18 @@ -1,9 +1,7 @@ 19 /* See LICENSE file for copyright and license details. */ 20 #include <errno.h> 21 -#include <grp.h> 22 #include <limits.h> 23 #include <netinet/in.h> 24 -#include <pwd.h> 25 #include <regex.h> 26 #include <signal.h> 27 #include <sys/resource.h> 28 @@ -163,7 +161,7 @@ err: 29 static void 30 usage(void) 31 { 32 - const char *opts = "[-u user] [-g group] [-n num] [-d dir] [-l] " 33 + const char *opts = "[-n num] [-d dir] [-l] " 34 "[-i file] [-v vhost] ... [-m map] ..."; 35 36 die("usage: %s -h host -p port %s\n" 37 @@ -174,8 +172,6 @@ usage(void) 38 int 39 main(int argc, char *argv[]) 40 { 41 - struct group *grp = NULL; 42 - struct passwd *pwd = NULL; 43 struct rlimit rlim; 44 struct sockaddr_storage in_sa; 45 pid_t cpid, wpid, spid; 46 @@ -188,8 +184,6 @@ main(int argc, char *argv[]) 47 /* defaults */ 48 int maxnprocs = 512; 49 char *servedir = "."; 50 - char *user = "nobody"; 51 - char *group = "nogroup"; 52 53 s.host = s.port = NULL; 54 s.vhost = NULL; 55 @@ -202,9 +196,6 @@ main(int argc, char *argv[]) 56 case 'd': 57 servedir = EARGF(usage()); 58 break; 59 - case 'g': 60 - group = EARGF(usage()); 61 - break; 62 case 'h': 63 s.host = EARGF(usage()); 64 break; 65 @@ -241,9 +232,6 @@ main(int argc, char *argv[]) 66 case 'U': 67 udsname = EARGF(usage()); 68 break; 69 - case 'u': 70 - user = EARGF(usage()); 71 - break; 72 case 'v': 73 if (spacetok(EARGF(usage()), tok, 4) || !tok[0] || !tok[1] || 74 !tok[2]) { 75 @@ -291,25 +279,13 @@ main(int argc, char *argv[]) 76 die("setrlimit RLIMIT_NPROC:"); 77 } 78 79 - /* validate user and group */ 80 - errno = 0; 81 - if (user && !(pwd = getpwnam(user))) { 82 - die("getpwnam '%s': %s", user, errno ? strerror(errno) : 83 - "Entry not found"); 84 - } 85 - errno = 0; 86 - if (group && !(grp = getgrnam(group))) { 87 - die("getgrnam '%s': %s", group, errno ? strerror(errno) : 88 - "Entry not found"); 89 - } 90 - 91 /* Open a new process group */ 92 setpgid(0,0); 93 94 handlesignals(sigcleanup); 95 96 /* bind socket */ 97 - insock = udsname ? sock_get_uds(udsname, pwd->pw_uid, grp->gr_gid) : 98 + insock = udsname ? sock_get_uds(udsname) : 99 sock_get_ips(s.host, s.port); 100 101 switch (cpid = fork()) { 102 @@ -329,24 +305,9 @@ main(int argc, char *argv[]) 103 eunveil(servedir, "r"); 104 eunveil(NULL, NULL); 105 106 - /* chroot */ 107 if (chdir(servedir) < 0) { 108 die("chdir '%s':", servedir); 109 } 110 - if (chroot(".") < 0) { 111 - die("chroot .:"); 112 - } 113 - 114 - /* drop root */ 115 - if (grp && setgroups(1, &(grp->gr_gid)) < 0) { 116 - die("setgroups:"); 117 - } 118 - if (grp && setgid(grp->gr_gid) < 0) { 119 - die("setgid:"); 120 - } 121 - if (pwd && setuid(pwd->pw_uid) < 0) { 122 - die("setuid:"); 123 - } 124 125 if (udsname) { 126 epledge("stdio rpath proc unix", NULL); 127 @@ -354,13 +315,6 @@ main(int argc, char *argv[]) 128 epledge("stdio rpath proc inet", NULL); 129 } 130 131 - if (getuid() == 0) { 132 - die("Won't run as root user", argv0); 133 - } 134 - if (getgid() == 0) { 135 - die("Won't run as root group", argv0); 136 - } 137 - 138 /* accept incoming connections */ 139 while (1) { 140 in_sa_len = sizeof(in_sa); 141 diff --git a/quark.1 b/quark.1 142 index ce315b5..e45140c 100644 143 --- a/quark.1 144 +++ b/quark.1 145 @@ -35,13 +35,8 @@ is a simple HTTP GET/HEAD-only web server for static content. 146 .It Fl d Ar dir 147 Serve 148 .Ar dir 149 -after chrooting into it. 150 +after changing into it. 151 The default is ".". 152 -.It Fl g Ar group 153 -Set group ID when dropping privileges, and in socket mode the group of the 154 -socket file, to the ID of 155 -.Ar group . 156 -The default is "nogroup". 157 .It Fl h Ar host 158 Use 159 .Ar host 160 @@ -86,12 +81,6 @@ redirects on non-standard ports. 161 Create the UNIX-domain socket 162 .Ar file , 163 listen on it for incoming connections and remove it on exit. 164 -.It Fl u Ar user 165 -Set user ID when dropping privileges, 166 -and in socket mode the user of the socket file, 167 -to the ID of 168 -.Ar user . 169 -The default is "nobody". 170 .It Fl v Ar vhost 171 Add the virtual host specified by 172 .Ar vhost , 173 diff --git a/sock.c b/sock.c 174 index 7000738..31960c5 100644 175 --- a/sock.c 176 +++ b/sock.c 177 @@ -68,7 +68,7 @@ sock_rem_uds(const char *udsname) 178 } 179 180 int 181 -sock_get_uds(const char *udsname, uid_t uid, gid_t gid) 182 +sock_get_uds(const char *udsname) 183 { 184 struct sockaddr_un addr = { 185 .sun_family = AF_UNIX, 186 @@ -99,11 +99,6 @@ sock_get_uds(const char *udsname, uid_t uid, gid_t gid) 187 die("chmod:"); 188 } 189 190 - if (chown(udsname, uid, gid) < 0) { 191 - sock_rem_uds(udsname); 192 - die("chown:"); 193 - } 194 - 195 return insock; 196 } 197 198 diff --git a/sock.h b/sock.h 199 index a39aec9..4f790f6 100644 200 --- a/sock.h 201 +++ b/sock.h 202 @@ -8,7 +8,7 @@ 203 204 int sock_get_ips(const char *, const char *); 205 void sock_rem_uds(const char *); 206 -int sock_get_uds(const char *, uid_t, gid_t); 207 +int sock_get_uds(const char *); 208 int sock_set_timeout(int, int); 209 int sock_get_inaddr_str(struct sockaddr_storage *, char *, size_t); 210 211 -- 212 2.21.0 213