aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/network/services/lldpd/Config.in5
-rw-r--r--package/network/services/lldpd/Makefile2
-rw-r--r--package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch73
3 files changed, 80 insertions, 0 deletions
diff --git a/package/network/services/lldpd/Config.in b/package/network/services/lldpd/Config.in
index a416490425..448506d047 100644
--- a/package/network/services/lldpd/Config.in
+++ b/package/network/services/lldpd/Config.in
@@ -1,6 +1,11 @@
menu "Configuration"
depends on PACKAGE_lldpd
+config LLDPD_WITH_PRIVSEP
+ bool
+ default y
+ prompt "Enable privilege separation (run lldpd with a chrooted 'lldp' user)"
+
config LLDPD_WITH_CDP
bool
default y
diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile
index ff367f1c3e..d80840e4cb 100644
--- a/package/network/services/lldpd/Makefile
+++ b/package/network/services/lldpd/Makefile
@@ -85,9 +85,11 @@ define Package/lldpd/conffiles
endef
CONFIGURE_ARGS += \
+ $(if $(CONFIG_LLDPD_WITH_PRIVSEP), \
--with-privsep-user=lldp \
--with-privsep-group=lldp \
--with-privsep-chroot=/var/run/lldp \
+ ,--disable-privsep) \
--with-readline=no \
--with-embedded-libevent=no \
$(if $(CONFIG_LLDPD_WITH_CDP),,--disable-cdp) \
diff --git a/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
new file mode 100644
index 0000000000..907c21b685
--- /dev/null
+++ b/package/network/services/lldpd/patches/001-priv-don-t-lookup-for-_lldpd-when-privsep-is-disable.patch
@@ -0,0 +1,73 @@
+From 28bf40220840c277d70ed66f6d58729ebb975de8 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Thu, 12 Feb 2015 08:07:43 +0100
+Subject: [PATCH] priv: don't lookup for _lldpd when privsep is disabled
+
+Closes #95
+---
+ src/daemon/lldpd.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index f868fc7..6a3a160 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -1335,11 +1335,13 @@ lldpd_main(int argc, char *argv[], char *envp[])
+ int receiveonly = 0;
+ int ctl;
+
++#ifdef ENABLE_PRIVSEP
+ /* Non privileged user */
+ struct passwd *user;
+ struct group *group;
+ uid_t uid;
+ gid_t gid;
++#endif
+
+ saved_argv = argv;
+
+@@ -1493,12 +1495,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+ log_debug("main", "lldpd starting...");
+
+ /* Grab uid and gid to use for priv sep */
++#ifdef ENABLE_PRIVSEP
+ if ((user = getpwnam(PRIVSEP_USER)) == NULL)
+ fatal("main", "no " PRIVSEP_USER " user for privilege separation");
+ uid = user->pw_uid;
+ if ((group = getgrnam(PRIVSEP_GROUP)) == NULL)
+ fatal("main", "no " PRIVSEP_GROUP " group for privilege separation");
+ gid = group->gr_gid;
++#endif
+
+ /* Create and setup socket */
+ int retry = 1;
+@@ -1526,12 +1530,14 @@ lldpd_main(int argc, char *argv[], char *envp[])
+ log_warn("main", "unable to create control socket");
+ fatalx("giving up");
+ }
++#ifdef ENABLE_PRIVSEP
+ if (chown(ctlname, uid, gid) == -1)
+ log_warn("main", "unable to chown control socket");
+ if (chmod(ctlname,
+ S_IRUSR | S_IWUSR | S_IXUSR |
+ S_IRGRP | S_IWGRP | S_IXGRP) == -1)
+ log_warn("main", "unable to chmod control socket");
++#endif
+
+ /* Disable SIGPIPE */
+ signal(SIGPIPE, SIG_IGN);
+@@ -1576,7 +1582,11 @@ lldpd_main(int argc, char *argv[], char *envp[])
+ }
+
+ log_debug("main", "initialize privilege separation");
++#ifdef ENABLE_PRIVSEP
+ priv_init(PRIVSEP_CHROOT, ctl, uid, gid);
++#else
++ priv_init(PRIVSEP_CHROOT, ctl, 0, 0);
++#endif
+
+ /* Initialization of global configuration */
+ if ((cfg = (struct lldpd *)
+--
+2.1.2
+