Implement <security:runasuser> and <security:runasgroup> - allows for set(g|u)id to drop privs after starting, which can be useful for people who want to bind privileged ports without exposing their anus to a giant cucumber.

git-svn-id: http://svn.inspircd.org/repository/trunk/inspircd@10682 e03df62e-2008-0410-955e-edbf42e46eb7

1 files changed, 51 insertions, 0 deletions

diff --git a/src/inspircd.cpp b/src/inspircd.cpp
index 463f9d82f..9a64331b5 100644
--- a/src/inspircd.cpp
+++ b/src/inspircd.cpp
@@ -35,6 +35,9 @@
 	#include <stdlib.h>
 	#include <crtdbg.h>
 	#endif
+
+	#include <pwd.h> // setuid
+	#include <grp.h> // setgid
 #endif
 
 #include <fstream>
@@ -726,6 +729,54 @@ InspIRCd::InspIRCd(int argc, char** argv)
 
 	Logs->Log("STARTUP", DEFAULT, "Startup complete as '%s'[%s], %d max open sockets", Config->ServerName,Config->GetSID().c_str(), SE->GetMaxFds());
 
+#ifndef WIN32
+	if (*(this->Config->SetUser))
+	{
+		// setuid
+		struct passwd *u;
+
+		errno = 0;
+		u = getpwnam(this->Config->SetUser);
+
+		if (!u)
+		{
+			this->Logs->Log("SETGUID", DEFAULT, "getpwnam() failed (bad user?): %s", strerror(errno));
+			this->QuickExit(0);
+		}
+
+		int ret = setuid(u->pw_uid);
+
+		if (ret == -1)
+		{
+			this->Logs->Log("SETGUID", DEFAULT, "setuid() failed (bad user?): %s", strerror(errno));
+			this->QuickExit(0);
+		}
+	}
+
+	if (*(this->Config->SetGroup))
+	{
+		// setgid
+		struct group *g;
+
+		errno = 0;
+		g = getgrnam(this->Config->SetGroup);
+
+		if (!g)
+		{
+			this->Logs->Log("SETGUID", DEFAULT, "getgrnam() failed (bad user?): %s", strerror(errno));
+			this->QuickExit(0);
+		}
+
+		int ret = setgid(g->gr_gid);
+
+		if (ret == -1)
+		{
+			this->Logs->Log("SETGUID", DEFAULT, "setgid() failed (bad user?): %s", strerror(errno));
+			this->QuickExit(0);
+		}
+	}
+#endif
+
 	this->WritePID(Config->PID);
 }