diff options
3 files changed, 80 insertions, 0 deletions
diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in index a416490425..448506d047 100644 --- a/package/network/services/lldpd/Config.in +++ b/package/network/services/lldpd/Config.in @@ -1,6 +1,11 @@ menu "Configuration" depends on PACKAGE_lldpd +config LLDPD_WITH_PRIVSEP + bool + default y + prompt "Enable privilege separation (run lldpd with a chrooted 'lldp' user)" + config LLDPD_WITH_CDP bool default y diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile index ff367f1c3e..d80840e4cb 100644 --- a/package/network/services/lldpd/Makefile +++ b/package/network/services/lldpd/Makefile @@ -85,9 +85,11 @@ define Package/lldpd/conffiles endef CONFIGURE_ARGS += \ + $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \ --with-privsep-user=lldp \ --with-privsep-group=lldp \ --with-privsep-chroot=/var/run/lldp \ + ,--disable-privsep) \ --with-readline=no \ --with-embedded-libevent=no \ $(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \ diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch new file mode 100644 index 0000000000..907c21b685 --- /dev/null +++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch @@ -0,0 +1,73 @@ +From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat <vincent@bernat.im> +Date: Thu, 12 Feb 2015 08:07:43 +0100 +Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled + +Closes #95 +--- + src/daemon/lldpd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c +index f868fc7..6a3a160 100644 +--- a/src/daemon/lldpd.c ++++ b/src/daemon/lldpd.c +@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[]) + int receiveonly = 0; + int ctl; + ++#ifdef ENABLE_PRIVSEP + /* Non privileged user */ + struct passwd *user; + struct group *group; + uid_t uid; + gid_t gid; ++#endif + + saved_argv = argv; + +@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) + log_debug("main", "lldpd starting..."); + + /* Grab uid and gid to use for priv sep */ ++#ifdef ENABLE_PRIVSEP + if ((user = getpwnam(PRIVSEP_USER)) == NULL) + fatal("main", "no " PRIVSEP_USER " user for privilege separation"); + uid = user->pw_uid; + if ((group = getgrnam(PRIVSEP_GROUP)) == NULL) + fatal("main", "no " PRIVSEP_GROUP " group for privilege separation"); + gid = group->gr_gid; ++#endif + + /* Create and setup socket */ + int retry = 1; +@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[]) + log_warn("main", "unable to create control socket"); + fatalx("giving up"); + } ++#ifdef ENABLE_PRIVSEP + if (chown(ctlname, uid, gid) == -1) + log_warn("main", "unable to chown control socket"); + if (chmod(ctlname, + S_IRUSR | S_IWUSR | S_IXUSR | + S_IRGRP | S_IWGRP | S_IXGRP) == -1) + log_warn("main", "unable to chmod control socket"); ++#endif + + /* Disable SIGPIPE */ + signal(SIGPIPE, SIG_IGN); +@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[]) + } + + log_debug("main", "initialize privilege separation"); ++#ifdef ENABLE_PRIVSEP + priv_init(PRIVSEP_CHROOT, ctl, uid, gid); ++#else ++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0); ++#endif + + /* Initialization of global configuration */ + if ((cfg = (struct lldpd *) +-- +2.1.2 + |