Permalink
Browse files

[fix] user privilege drop: remove this broken feature

  • Loading branch information...
1 parent 82d143d commit 71b8a61ee3ff4a874f221a59e1a38514c5521f5f François-Régis Sinot committed Sep 19, 2011
Showing with 0 additions and 125 deletions.
  1. +0 −8 libnet/ftpServer.ml
  2. +0 −1 libnet/ftpServerType.ml
  3. +0 −7 libnet/httpServer.ml
  4. +0 −7 libnet/smtpServer.ml
  5. +0 −1 libtools.mllib
  6. +0 −101 libtools/systools.ml
View
@@ -68,7 +68,6 @@ type options =
opt_default_folder: string; (** starting folder for new connections *)
opt_rename_string: string option; (** from path for RNFR verb *)
opt_timeout: Time.t; (** global connection timeout *)
- opt_drop_privilege: bool;
opt_ssl_cert : string;
opt_ssl_key : string;
opt_ssl_pass : string;
@@ -114,7 +113,6 @@ let default_options =
opt_default_folder = initDir;
opt_rename_string = None;
opt_timeout = Time.seconds 300;
- opt_drop_privilege = true;
opt_ssl_cert = "";
opt_ssl_key = "";
opt_ssl_pass = "";
@@ -143,10 +141,6 @@ let spec_args name =
ServerArg.func ServerArg.unit (fun o () -> { o with opt_dos_prevention = false }),
"", "Disable the built-in protection against Denial-of-Service attacks";*)
- p"no-drop-privilege",
- ServerArg.func ServerArg.unit (fun o () -> { o with opt_drop_privilege = false }),
- "", "Disable the drop of privilege on server start";
-
p"ssl-cert",
ServerArg.func ServerArg.string (fun o s -> { o with opt_ssl_cert = s }),
"<file>", "Location of your SSL certificate (requires ssl-key)";
@@ -184,7 +178,6 @@ let make_ssl_verify opt =
None
let make (_name:string) (opt:options) (_sched:Scheduler.t) : t =
- if opt.opt_drop_privilege then Systools.change_user ();
let secure_mode = Network.secure_mode_from_params (make_ssl_cert opt) (make_ssl_verify opt) in
let runtime = { FSC.rt_plim = 128;
rt_dialog_name = opt.opt_dialog;
@@ -224,7 +217,6 @@ let make (_name:string) (opt:options) (_sched:Scheduler.t) : t =
default_folder = opt.opt_default_folder;
rename_string = opt.opt_rename_string;
timeout = opt.opt_timeout;
- drop_privilege = opt.opt_drop_privilege;
ssl_cert = opt.opt_ssl_cert;
ssl_key = opt.opt_ssl_key;
ssl_pass = opt.opt_ssl_pass;
View
@@ -86,7 +86,6 @@ type state = {
default_folder: string; (** starting folder for new connections *)
rename_string: string option; (** from path for RNFR verb *)
timeout: Time.t; (** global connection timeout *)
- drop_privilege: bool;
ssl_cert: string;
ssl_key: string;
ssl_pass: string;
View
@@ -509,7 +509,6 @@ type options =
block_size : int;
allowed_hosts : string list;
dos_prevention : bool;
- drop_privilege : bool;
on_server_run : options -> Scheduler.t -> unit;
on_server_close : Scheduler.t -> unit;
get : Scheduler.t -> HSC.runtime -> HSCp.msg -> HST.handle_request -> HST.get
@@ -596,7 +595,6 @@ let default_options =
block_size = 4096; (* TODO: implement separate callbac blocksize *)
allowed_hosts = [];
dos_prevention = true;
- drop_privilege = true;
on_server_run = (fun _ _ -> ());
on_server_close = (fun _ -> ());
get = handle_get;
@@ -759,10 +757,6 @@ let spec_args name =
ServerArg.func ServerArg.unit (fun o () -> { o with backtrace = false }),
"", (sprintf "Disable backtrace printout for server exceptions" (*default_options.backtrace*));
- p"no-drop-privilege",
- ServerArg.func ServerArg.unit (fun o () -> { o with drop_privilege = false }),
- "", (sprintf "Disable the drop of privilege on server start" (*default_options.drop_privilege*));
-
p"ssl-cert",
ServerArg.func ServerArg.string (fun o s -> { o with ssl_cert = s }),
"<file>", (sprintf "Location of your SSL certificate (requires ssl-key) (default:'%s')" default_options.ssl_cert);
@@ -826,7 +820,6 @@ let make (name:string) (opt:options) (sched:Scheduler.t) : t =
#<If>Logger.debug "HttpServer.make: name=%s addr=%s port=%d ssl_cert=%s" name opt.addr opt.port opt.ssl_cert#<End>;
let _ = Lazy.force m2 in
Hashtbl.add options name opt;
- (*if opt.drop_privilege then Systools.change_user ();*)
let secure_mode = Network.secure_mode_from_params (make_ssl_cert opt) (make_ssl_verify opt) in
let addr = Unix.inet_addr_of_string opt.addr in
let server_info = HSCm.make_server_info addr opt.port (opt.ssl_cert <> "") in
View
@@ -31,7 +31,6 @@ type t = SCC.t
type options =
{ opt_addr: string;
opt_port: int;
- opt_drop_privilege: bool;
opt_ssl_cert : string;
opt_ssl_key : string;
opt_ssl_pass : string;
@@ -58,7 +57,6 @@ let handle_email { SCC.from=_from; dests=_dests; body=_body } =
let default_options =
{ opt_addr = "0.0.0.0";
opt_port = 2525;
- opt_drop_privilege = true;
opt_ssl_cert = "";
opt_ssl_key = "";
opt_ssl_pass = "";
@@ -90,10 +88,6 @@ let spec_args name =
ServerArg.func ServerArg.unit (fun o () -> { o with opt_dos_prevention = false }),
"", "Disable the built-in protection against Denial-of-Service attacks";*)
- p"no-drop-privilege",
- ServerArg.func ServerArg.unit (fun o () -> { o with opt_drop_privilege = false }),
- "", "Disable the drop of privilege on server start";
-
p"ssl-cert",
ServerArg.func ServerArg.string (fun o s -> { o with opt_ssl_cert = s }),
"<file>", "Location of your SSL certificate (requires ssl-key)";
@@ -147,7 +141,6 @@ let handle_expand = function
| _ -> [(551,"User not local")]
let make (_name:string) (opt:options) (_sched:Scheduler.t) : t =
- if opt.opt_drop_privilege then Systools.change_user ();
let secure_mode = Network.secure_mode_from_params (make_ssl_cert opt) (make_ssl_verify opt) in
let runtime = { SCC.rt_plim = 128;
rt_dialog_name = opt.opt_dialog;
View
@@ -1,3 +1,2 @@
-libtools/Systools
libtools/Process
libtools/ProcessUtils
View
@@ -1,101 +0,0 @@
-(*
- Copyright © 2011 MLstate
-
- This file is part of OPA.
-
- OPA is free software: you can redistribute it and/or modify it under the
- terms of the GNU Affero General Public License, version 3, as published by
- the Free Software Foundation.
-
- OPA is distributed in the hope that it will be useful, but WITHOUT ANY
- WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for
- more details.
-
- You should have received a copy of the GNU Affero General Public License
- along with OPA. If not, see <http://www.gnu.org/licenses/>.
-*)
-module S = ServerArg
-
-(* module DropPrivileges : Runtime.COMPONENT = *)
-(* struct *)
-(* type options = { *)
-(* stay_root:bool; *)
-(* user:string; *)
-(* group:string; *)
-(* } *)
-(* type t = unit *)
-
-(* let name = "Drop privileges" *)
-(* let version = "1.0" *)
-(* let default_options = { *)
-(* stay_root = true; *)
-(* user = ""; *)
-(* group = "" *)
-(* } (\* TODO *\) *)
-
-(* let spec_args = *)
-(* [ *)
-(* ["--stay_root"], *)
-(* S.func S.bool (fun opt b -> {opt with stay_root = b}), *)
-(* "", "TODO" *)
-(* (\* TODO *\) *)
-(* ] *)
-
-(* let ports = [] *)
-(* let make opt pi = *)
-(* let _ = opt, pi in *)
-(* () *)
-
-(* let run _ sch = *)
-(* let _ = sch in *)
-(* (\* TODO base en change_user fun below *\) *)
-(* () *)
-
-(* let close _ _ = () *)
-(* end *)
-
-let change_user () =
- if (Unix.geteuid ()) <> 0 then ()
- else
- begin
- let get_arg ref_str =
- let res =
- Array.fold_left (
- fun accu opt ->
- if fst accu then (false, (Some opt))
- else if ref_str = opt then (true, (snd accu))
- else accu
- ) (false, None) Sys.argv
- in snd res
- in
- let get_id pattern getter =
- match get_arg pattern with
- | Some value ->
- begin try int_of_string value with
- | Failure _ -> (try getter value with | Not_found | Unix.Unix_error _ -> -1)
- end
- | _ -> -1
- in
- let stay_root = Array.fold_left (fun acc s -> acc || s = "--stay-root") false Sys.argv in
- if stay_root then Logger.warning "Warning: Be careful with the --stay-root flag !\n%!"
- else (
- let user =
- let id = get_id "--user" (fun user -> (Unix.getpwnam user).Unix.pw_uid) in
- if id >= 0 then id else 33 (* uid for www-data under linux systems? *)
- in
- let group =
- let id =
- let tmp_grp = get_id "--group" (fun group -> (Unix.getgrnam group).Unix.gr_gid) in
- if user <> -1 && tmp_grp = -1 then
- get_id "--user" (fun user -> (Unix.getpwnam user).Unix.pw_gid)
- else tmp_grp
- in
- if id >= 0 then id else 33 (* guid for www-data under linux systems? *)
- in
- (* let () = File.iter_dir_rec ~showdir:true (fun ~name:_ ~path -> Unix.chown path user group) (Lazy.force File.mlstate_dir) in *)
- let () = try Unix.setgid group; Logger.notice "[+] setting gid to %d%!" group with Unix.Unix_error _ -> () in
- let () = try Unix.setuid user; Logger.notice "[+] setting uid to %d%!" user with Unix.Unix_error _ -> () in
- ()
- )
- end

0 comments on commit 71b8a61

Please sign in to comment.