commit afeb213260afbdc56b2a46df12b92a9c71db6f2c
parent 8a3f49d1645dc6d2041da0d6cf73d9eb91f2c47d
Author: Joris Vink <joris@coders.se>
Date: Mon, 18 Nov 2013 00:42:57 +0100
Kore no longer requires root to be started.
Diffstat:
5 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/includes/kore.h b/includes/kore.h
@@ -255,6 +255,7 @@ struct kore_pool {
extern pid_t kore_pid;
extern int kore_debug;
+extern int skip_chroot;
extern char *chroot_path;
extern char *runas_user;
extern char *kore_module_onload;
diff --git a/modules/example/module.conf b/modules/example/module.conf
@@ -1,8 +1,9 @@
# Example Kore configuration
# Server configuration.
-bind 127.0.0.1 443
-bind ::1 443
+#bind 127.0.0.1 443
+#bind ::1 443
+bind 10.211.55.3 4443
# The path worker processes will chroot into after starting.
chroot /home/joris/src/kore
@@ -20,6 +21,7 @@ workers 4
# Store the main process its pid in this file.
#pidfile /var/run/kore.pid
+pidfile kore.pid
# The onload function is called everytime the module is loaded or reloaded.
#onload myinit
@@ -91,10 +93,11 @@ ssl_no_compression
# handler path module_callback
# Example domain that responds to localhost.
-domain localhost {
+#domain localhost {
+domain 10.211.55.3 {
certfile cert/server.crt
certkey cert/server.key
- accesslog /var/log/kore_access.log
+ accesslog kore_access.log
# Static page handlers
static /css/style.css serve_style_css
diff --git a/src/config.c b/src/config.c
@@ -155,6 +155,9 @@ kore_parse_config(void)
fatal("missing a username to run as");
if ((pw = getpwnam(runas_user)) == NULL)
fatal("user '%s' does not exist", runas_user);
+
+ if (getuid() != 0 && skip_chroot == 0)
+ fatal("Cannot chroot(), use -n to skip it");
}
static int
diff --git a/src/kore.c b/src/kore.c
@@ -29,6 +29,7 @@ struct passwd *pw = NULL;
pid_t kore_pid = -1;
u_int16_t cpu_count = 1;
int kore_debug = 0;
+int skip_chroot = 0;
u_int8_t worker_count = 0;
char *runas_user = NULL;
char *chroot_path = NULL;
@@ -46,7 +47,7 @@ static void kore_server_sslstart(void);
static void
usage(void)
{
- fprintf(stderr, "Usage: kore [-c config] [-d]\n");
+ fprintf(stderr, "Usage: kore [-c config] [-dn]\n");
exit(1);
}
@@ -56,10 +57,7 @@ main(int argc, char *argv[])
int ch;
struct listener *l;
- if (getuid() != 0)
- fatal("kore must be started as root");
-
- while ((ch = getopt(argc, argv, "c:d")) != -1) {
+ while ((ch = getopt(argc, argv, "c:dn")) != -1) {
switch (ch) {
case 'c':
config_file = optarg;
@@ -71,6 +69,9 @@ main(int argc, char *argv[])
printf("kore not compiled with debug support\n");
#endif
break;
+ case 'n':
+ skip_chroot = 1;
+ break;
default:
usage();
}
diff --git a/src/worker.c b/src/worker.c
@@ -178,19 +178,24 @@ kore_worker_entry(struct kore_worker *kw)
worker = kw;
- if (chroot(chroot_path) == -1)
- fatal("cannot chroot(): %s", errno_s);
- if (chdir("/") == -1)
- fatal("cannot chdir(): %s", errno_s);
- if (setgroups(1, &pw->pw_gid) ||
+ if (skip_chroot == 0) {
+ if (chroot(chroot_path) == -1)
+ fatal("cannot chroot(): %s", errno_s);
+ if (chdir("/") == -1)
+ fatal("cannot chdir(): %s", errno_s);
+ }
+
+ if (getuid() != pw->pw_uid) {
+ if (setgroups(1, &pw->pw_gid) ||
#ifdef __MACH__
- setgid(pw->pw_gid) || setegid(pw->pw_gid) ||
- setuid(pw->pw_uid) || seteuid(pw->pw_uid))
+ setgid(pw->pw_gid) || setegid(pw->pw_gid) ||
+ setuid(pw->pw_uid) || seteuid(pw->pw_uid))
#else
- setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
- setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+ setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+ setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
#endif
- fatal("unable to drop privileges");
+ fatal("unable to drop privileges");
+ }
snprintf(buf, sizeof(buf), "kore [wrk %d]", kw->id);
kore_platform_proctitle(buf);
