From 8712dc3d4321cc279a888b7237777d1cf1a3f2d0 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Mon, 27 Aug 2018 16:48:32 +0200 Subject: [PATCH 1/2] Ensure proper file ownerships if pihole-FTL is started as root. We drop back from root to user pihole:pihole as soon as we did everything we needed to do as root (open privileged ports, etc.). Signed-off-by: DL6ER --- dnsmasq/dnsmasq.c | 2 +- dnsmasq_interface.c | 15 ++++++++++++++- dnsmasq_interface.h | 2 +- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/dnsmasq/dnsmasq.c b/dnsmasq/dnsmasq.c index 54a47da85..390eaad8e 100644 --- a/dnsmasq/dnsmasq.c +++ b/dnsmasq/dnsmasq.c @@ -570,7 +570,7 @@ int main_dnsmasq (int argc, char **argv) } } - FTL_fork_and_bind_sockets(); + FTL_fork_and_bind_sockets(ent_pw); log_err = log_start(ent_pw, err_pipe[1]); diff --git a/dnsmasq_interface.c b/dnsmasq_interface.c index 4607ed500..01df71a6c 100644 --- a/dnsmasq_interface.c +++ b/dnsmasq_interface.c @@ -867,7 +867,7 @@ pthread_t socket_listenthread; pthread_t DBthread; pthread_t GCthread; -void FTL_fork_and_bind_sockets(void) +void FTL_fork_and_bind_sockets(struct passwd *ent_pw) { if(!debug && daemonmode) go_daemon(); @@ -919,6 +919,19 @@ void FTL_fork_and_bind_sockets(void) logg("Unable to open GC thread. Exiting..."); exit(EXIT_FAILURE); } + + // Chown files if FTL started as user root but a dnsmasq config option + // states to run as a different user/group (e.g. "nobody") + if(ent_pw != NULL && getuid() == 0) + { + if(chown(FTLfiles.log, ent_pw->pw_uid, ent_pw->pw_gid) == -1) + logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.log, errno, strerror(errno)); + if(database) + { + if(chown(FTLfiles.db, ent_pw->pw_uid, ent_pw->pw_gid) == -1) + logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.db, errno, strerror(errno)); + } + } } // int cache_inserted, cache_live_freed are defined in dnsmasq/cache.c diff --git a/dnsmasq_interface.h b/dnsmasq_interface.h index a2c4c3bf4..ea08b5229 100644 --- a/dnsmasq_interface.h +++ b/dnsmasq_interface.h @@ -16,7 +16,7 @@ void FTL_reply(unsigned short flags, char *name, struct all_addr *addr, int id); void FTL_cache(unsigned int flags, char *name, struct all_addr *addr, char * arg, int id); void FTL_dnssec(int status, int id); void FTL_dnsmasq_reload(void); -void FTL_fork_and_bind_sockets(void); +void FTL_fork_and_bind_sockets(struct passwd *ent_pw); void FTL_header_ADbit(unsigned char header4, int id); From f67de1806d20bfb1deba9310014bc31f47a9a110 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Mon, 27 Aug 2018 17:07:06 +0200 Subject: [PATCH 2/2] Fix syntax and use short-circuit evaluation Signed-off-by: DL6ER --- dnsmasq_interface.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dnsmasq_interface.c b/dnsmasq_interface.c index 01df71a6c..df1e9a8ce 100644 --- a/dnsmasq_interface.c +++ b/dnsmasq_interface.c @@ -925,12 +925,9 @@ void FTL_fork_and_bind_sockets(struct passwd *ent_pw) if(ent_pw != NULL && getuid() == 0) { if(chown(FTLfiles.log, ent_pw->pw_uid, ent_pw->pw_gid) == -1) - logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.log, errno, strerror(errno)); - if(database) - { - if(chown(FTLfiles.db, ent_pw->pw_uid, ent_pw->pw_gid) == -1) - logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.db, errno, strerror(errno)); - } + logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.log, strerror(errno), errno); + if(database && chown(FTLfiles.db, ent_pw->pw_uid, ent_pw->pw_gid) == -1) + logg("Setting ownership (%i:%i) of %s failed: %s (%i)", ent_pw->pw_uid, ent_pw->pw_gid, FTLfiles.db, strerror(errno), errno); } }