Rev 294: make sure the ctdb control socket is secure in
http://samba.org/~tridge/ctdb
tridge at samba.org
tridge at samba.org
Sat May 12 23:20:17 GMT 2007
------------------------------------------------------------
revno: 294
revision-id: tridge at samba.org-20070512232016-fdj2opy995c536bs
parent: tridge at samba.org-20070512112526-9t4ruf7033dstx0u
committer: Andrew Tridgell <tridge at samba.org>
branch nick: tridge
timestamp: Sun 2007-05-13 09:20:16 +1000
message:
make sure the ctdb control socket is secure
modified:
common/ctdb_daemon.c ctdb_daemon.c-20070409200331-3el1kqgdb9m4ib0g-1
=== modified file 'common/ctdb_daemon.c'
--- a/common/ctdb_daemon.c 2007-05-12 11:25:26 +0000
+++ b/common/ctdb_daemon.c 2007-05-12 23:20:16 +0000
@@ -600,10 +600,15 @@
ctdb->daemon.sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (ctdb->daemon.sd == -1) {
- ctdb->daemon.sd = -1;
return -1;
}
+ if (fchown(ctdb->daemon.sd, geteuid(), getegid()) != 0 ||
+ fchmod(ctdb->daemon.sd, 0700) != 0) {
+ DEBUG(0,("Unable to secure ctdb socket '%s', ctdb->daemon.name\n"));
+ goto failed;
+ }
+
set_non_blocking(ctdb->daemon.sd);
memset(&addr, 0, sizeof(addr));
@@ -611,13 +616,20 @@
strncpy(addr.sun_path, ctdb->daemon.name, sizeof(addr.sun_path));
if (bind(ctdb->daemon.sd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
- close(ctdb->daemon.sd);
- ctdb->daemon.sd = -1;
- return -1;
+ DEBUG(0,("Unable to bind on ctdb socket '%s', ctdb->daemon.name\n"));
+ goto failed;
}
- listen(ctdb->daemon.sd, 1);
+ if (listen(ctdb->daemon.sd, 10) != 0) {
+ DEBUG(0,("Unable to listen on ctdb socket '%s', ctdb->daemon.name\n"));
+ goto failed;
+ }
return 0;
+
+failed:
+ close(ctdb->daemon.sd);
+ ctdb->daemon.sd = -1;
+ return -1;
}
/*
More information about the samba-cvs
mailing list