fluidB
/
webdiss
1
0
Fork 0
Code Pull Requests Activity

Drop privileges.

Browse Source
master
Nicolas Favre-Felix 14 years ago
parent a8bccb4d40
commit 03af4425dc
4 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
README.markdown
Unescape Escape View File

@ -24,12 +24,12 @@ curl -d "GET/hello" http://127.0.0.1:7379/
* Restricted commands by IP range (CIDR subnet + mask) or HTTP Basic Auth, returning 403 errors. * Restricted commands by IP range (CIDR subnet + mask) or HTTP Basic Auth, returning 403 errors.
* Possible Redis authentication in the config file. * Possible Redis authentication in the config file.
* Pub/Sub using `Transfer-Encoding: chunked`, works with JSONP as well. Webdis can be used as a Comet server. * Pub/Sub using `Transfer-Encoding: chunked`, works with JSONP as well. Webdis can be used as a Comet server.
* Drop privileges on startup.
# Ideas, TODO... # Ideas, TODO...
* Add meta-data info per key (MIME type in a second key, for instance). * Add meta-data info per key (MIME type in a second key, for instance).
* Support PUT, DELETE, HEAD, OPTIONS? How? For which commands? * Support PUT, DELETE, HEAD, OPTIONS? How? For which commands?
* MULTI/EXEC/DISCARD/WATCH are disabled at the moment; find a way to use them. * MULTI/EXEC/DISCARD/WATCH are disabled at the moment; find a way to use them.
* Drop privileges on startup.
* Add logs. * Add logs.
* Support POST of raw Redis protocol data, and execute the whole thing. This could be useful for MULTI/EXEC transactions. * Support POST of raw Redis protocol data, and execute the whole thing. This could be useful for MULTI/EXEC transactions.
* Enrich config file: * Enrich config file:

15
conf.c
Unescape Escape View File

@ -3,6 +3,9 @@
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
#include <jansson.h> #include <jansson.h>
#include <evhttp.h> #include <evhttp.h>
@ -27,6 +30,8 @@ conf_read(const char *filename) {
conf->redis_port = 6379; conf->redis_port = 6379;
conf->http_host = strdup("0.0.0.0"); conf->http_host = strdup("0.0.0.0");
conf->http_port = 7379; conf->http_port = 7379;
conf->user = getuid();
conf->group = getgid();
j = json_load_file(filename, 0, &error); j = json_load_file(filename, 0, &error);
if(!j) { if(!j) {
@ -51,6 +56,16 @@ conf_read(const char *filename) {
conf->http_port = (short)json_integer_value(jtmp); conf->http_port = (short)json_integer_value(jtmp);
} else if(strcmp(json_object_iter_key(kv), "acl") == 0 && json_typeof(jtmp) == JSON_ARRAY) { } else if(strcmp(json_object_iter_key(kv), "acl") == 0 && json_typeof(jtmp) == JSON_ARRAY) {
conf->perms = conf_parse_acls(jtmp); conf->perms = conf_parse_acls(jtmp);
} else if(strcmp(json_object_iter_key(kv), "user") == 0 && json_typeof(jtmp) == JSON_STRING) {
struct passwd *u;
if((u = getpwnam(json_string_value(jtmp)))) {
conf->user = u->pw_uid;
}
} else if(strcmp(json_object_iter_key(kv), "group") == 0 && json_typeof(jtmp) == JSON_STRING) {
struct group *g;
if((g = getgrnam(json_string_value(jtmp)))) {
conf->group = g->gr_gid;
}
} }
} }

9
conf.h
Unescape Escape View File

@ -1,16 +1,25 @@
#ifndef CONF_H #ifndef CONF_H
#define CONF_H #define CONF_H
#include <sys/types.h>
struct conf { struct conf {
/* connection to Redis */
char *redis_host; char *redis_host;
short redis_port; short redis_port;
char *redis_auth; char *redis_auth;
/* HTTP server interface */
char *http_host; char *http_host;
short http_port; short http_port;
/* ACL */
struct acl *perms; struct acl *perms;
/* user/group */
uid_t user;
gid_t group;
}; };
struct conf * struct conf *

5
server.c
Unescape Escape View File

@ -6,6 +6,7 @@
#include <hiredis/adapters/libevent.h> #include <hiredis/adapters/libevent.h>
#include <jansson.h> #include <jansson.h>
#include <unistd.h>
#include <signal.h> #include <signal.h>
#include <string.h> #include <string.h>
@ -141,6 +142,10 @@ server_start(struct server *s) {
evhttp_bind_socket(s->http, s->cfg->http_host, s->cfg->http_port); evhttp_bind_socket(s->http, s->cfg->http_host, s->cfg->http_port);
evhttp_set_gencb(s->http, on_request, s); evhttp_set_gencb(s->http, on_request, s);
/* drop privileges */
setuid(s->cfg->user);
setgid(s->cfg->group);
/* attach hiredis to libevent base */ /* attach hiredis to libevent base */
webdis_connect(s); webdis_connect(s);

Write Preview
Loading…
Cancel
Save