1 /* $NetBSD: main.c,v 1.2 2017/01/28 21:31:44 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2005 Kungliga Tekniska Hgskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "kdc_locl.h" 39 #ifdef HAVE_UTIL_H 40 #include <util.h> 41 #endif 42 43 #ifdef HAVE_CAPNG 44 #include <cap-ng.h> 45 #endif 46 47 sig_atomic_t exit_flag = 0; 48 49 int detach_from_console = -1; 50 int daemon_child = -1; 51 int do_bonjour = -1; 52 53 static RETSIGTYPE 54 sigchld(int sig) 55 { 56 } 57 58 static RETSIGTYPE 59 sigterm(int sig) 60 { 61 exit_flag = sig; 62 } 63 64 /* 65 * Allow dropping root bit, since heimdal reopens the database all the 66 * time the database needs to be owned by the user you are switched 67 * too. A better solution is to split the kdc in to more processes and 68 * run the network facing part with very low privilege. 69 */ 70 71 static void 72 switch_environment(void) 73 { 74 #ifdef HAVE_GETEUID 75 if ((runas_string || chroot_string) && geteuid() != 0) 76 errx(1, "no running as root, can't switch user/chroot"); 77 78 if (chroot_string) { 79 if (chroot(chroot_string)) 80 err(1, "chroot(%s) failed", chroot_string); 81 if (chdir("/")) 82 err(1, "chdir(/) after chroot failed"); 83 } 84 85 if (runas_string) { 86 struct passwd *pw; 87 88 pw = getpwnam(runas_string); 89 if (pw == NULL) 90 errx(1, "unknown user %s", runas_string); 91 92 if (initgroups(pw->pw_name, pw->pw_gid) < 0) 93 err(1, "initgroups failed"); 94 95 #ifndef HAVE_CAPNG 96 if (setgid(pw->pw_gid) < 0) 97 err(1, "setgid(%s) failed", runas_string); 98 99 if (setuid(pw->pw_uid) < 0) 100 err(1, "setuid(%s)", runas_string); 101 #else 102 capng_clear (CAPNG_EFFECTIVE | CAPNG_PERMITTED); 103 if (capng_updatev (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, 104 CAP_NET_BIND_SERVICE, CAP_SETPCAP, -1) < 0) 105 err(1, "capng_updateev"); 106 107 if (capng_change_id(pw->pw_uid, pw->pw_gid, 108 CAPNG_CLEAR_BOUNDING) < 0) 109 err(1, "capng_change_id(%s)", runas_string); 110 #endif 111 } 112 #endif 113 } 114 115 int 116 main(int argc, char **argv) 117 { 118 krb5_error_code ret; 119 krb5_context context; 120 krb5_kdc_configuration *config; 121 int optidx = 0; 122 123 setprogname(argv[0]); 124 125 ret = krb5_init_context(&context); 126 if (ret == KRB5_CONFIG_BADFORMAT) 127 errx (1, "krb5_init_context failed to parse configuration file"); 128 else if (ret) 129 errx (1, "krb5_init_context failed: %d", ret); 130 131 ret = krb5_kt_register(context, &hdb_get_kt_ops); 132 if (ret) 133 errx (1, "krb5_kt_register(HDB) failed: %d", ret); 134 135 config = configure(context, argc, argv, &optidx); 136 137 #ifdef HAVE_SIGACTION 138 { 139 struct sigaction sa; 140 141 sa.sa_flags = 0; 142 sa.sa_handler = sigterm; 143 sigemptyset(&sa.sa_mask); 144 145 sigaction(SIGINT, &sa, NULL); 146 sigaction(SIGTERM, &sa, NULL); 147 #ifdef SIGXCPU 148 sigaction(SIGXCPU, &sa, NULL); 149 #endif 150 151 #ifdef SIGCHLD 152 sa.sa_handler = sigchld; 153 sigaction(SIGCHLD, &sa, NULL); 154 #endif 155 156 sa.sa_handler = SIG_IGN; 157 #ifdef SIGPIPE 158 sigaction(SIGPIPE, &sa, NULL); 159 #endif 160 } 161 #else 162 signal(SIGINT, sigterm); 163 signal(SIGTERM, sigterm); 164 #ifdef SIGCHLD 165 signal(SIGCHLD, sigchld); 166 #endif 167 #ifdef SIGXCPU 168 signal(SIGXCPU, sigterm); 169 #endif 170 #ifdef SIGPIPE 171 signal(SIGPIPE, SIG_IGN); 172 #endif 173 #endif 174 rk_pidfile(NULL); 175 176 switch_environment(); 177 178 start_kdc(context, config, argv[0]); 179 krb5_free_context(context); 180 return 0; 181 } 182
Indexes created Sun Mar 01 05:31:48 UTC 2026