[flashproxy/master] Add --privdrop-user option to allow dropping privileges. - tor-commits

2 Jun 2013

commit ccb77ceafb744dca40e9602ec1ee6cd63f4a45f4
Author: David Fifield david@bamsoftware.com
Date:   Sat Jun 1 20:49:27 2013 -0700
Add --privdrop-user option to allow dropping privileges.
---
 facilitator/facilitator              |   28 ++++++++++++++++++++--------
 facilitator/facilitator-email-poller |   34 +++++++++++++++++++++++-----------
 facilitator/facilitator-reg-daemon   |   28 ++++++++++++++++++++--------
 3 files changed, 63 insertions(+), 27 deletions(-)

diff --git a/facilitator/facilitator b/facilitator/facilitator
index b1f761b..cd3473a 100755
--- a/facilitator/facilitator
+++ b/facilitator/facilitator
@@ -34,6 +34,7 @@ class options(object):
     relay_spec = None
     daemonize = True
     pid_filename = None
+    privdrop_username = None
     safe_logging = True
@staticmethod
@@ -47,13 +48,14 @@ Usage: %(progname)s -r RELAY <OPTIONS>
 Flash proxy facilitator: Register client addresses and serve them out
 again. Listen on 127.0.0.1 and port PORT (by default %(port)d).
-  -d, --debug             don't daemonize, log to stdout.
-  -h, --help              show this help.
-  -l, --log FILENAME      write log to FILENAME (default "%(log)s").
-  -p, --port PORT         listen on PORT (by default %(port)d).
-      --pidfile FILENAME  write PID to FILENAME after daemonizing.
-  -r, --relay RELAY       send RELAY (host:port) to proxies as the relay to use.
-      --unsafe-logging    don't scrub IP addresses from logs.\
+  -d, --debug               don't daemonize, log to stdout.
+  -h, --help                show this help.
+  -l, --log FILENAME        write log to FILENAME (default "%(log)s").
+  -p, --port PORT           listen on PORT (by default %(port)d).
+      --pidfile FILENAME    write PID to FILENAME after daemonizing.
+      --privdrop-user USER  switch UID and GID to those of USER.
+  -r, --relay RELAY         send RELAY (host:port) to proxies as the relay to use.
+      --unsafe-logging      don't scrub IP addresses from logs.\
 """ % {
     "progname": sys.argv[0],
     "port": DEFAULT_LISTEN_PORT,
@@ -326,7 +328,7 @@ def put_reg(reg):
def main():
     opts, args = getopt.gnu_getopt(sys.argv[1:], "dhl:p:r:",
-        ["debug", "help", "log=", "port=", "pidfile=", "relay=", "unsafe-logging"])
+        ["debug", "help", "log=", "port=", "pidfile=", "privdrop-user=", "relay=", "unsafe-logging"])
     for o, a in opts:
         if o == "-d" or o == "--debug":
             options.daemonize = False
@@ -340,6 +342,8 @@ def main():
             options.listen_port = int(a)
         elif o == "--pidfile":
             options.pid_filename = a
+        elif o == "--privdrop-user":
+            options.privdrop_username = a
         elif o == "-r" or o == "--relay":
             try:
                 options.set_relay_spec(a)
@@ -380,6 +384,14 @@ The -r option is required. Give it the relay that will be sent to proxies.
                 f.close()
             sys.exit(0)
+    if options.privdrop_username is not None:
+        log(u"dropping privileges to those of user %s" % options.privdrop_username)
+        try:
+            fac.drop_privs(options.privdrop_username)
+        except BaseException, e:
+            print >> sys.stderr, "Can't drop privileges:", str(e)
+            sys.exit(1)
+
     try:
         server.serve_forever()
     except KeyboardInterrupt:
diff --git a/facilitator/facilitator-email-poller b/facilitator/facilitator-email-poller
index 349a1fe..6b5dd60 100755
--- a/facilitator/facilitator-email-poller
+++ b/facilitator/facilitator-email-poller
@@ -72,6 +72,7 @@ class options(object):
     log_file = sys.stdout
     daemonize = True
     pid_filename = None
+    privdrop_username = None
     safe_logging = True
     imaplib_debug = False
     use_certificate_pin = True
@@ -94,16 +95,17 @@ Facilitator-side helper for the facilitator-reg-email rendezvous. Polls
 an IMAP server for email messages with client registrations, deletes
 them, and forwards the registrations to the facilitator.
-  -d, --debug             don't daemonize, log to stdout.
-      --disable-pin       don't check server public key against a known pin.
-  -e, --email=ADDRESS     log in as ADDRESS (default "%(email_addr)s").
-  -h, --help              show this help.
-  -i, --imap=HOST[:PORT]  use the given IMAP server (default "%(imap_addr)s").
-      --imaplib-debug     show raw IMAP messages (will include email password).
-  -l, --log FILENAME      write log to FILENAME (default "%(log)s").
-  -p, --pass=PASSFILE     use the email password contained in PASSFILE.
-      --pidfile FILENAME  write PID to FILENAME after daemonizing.
-      --unsafe-logging    don't scrub email password and IP addresses from logs.\
+  -d, --debug               don't daemonize, log to stdout.
+      --disable-pin         don't check server public key against a known pin.
+  -e, --email=ADDRESS       log in as ADDRESS (default "%(email_addr)s").
+  -h, --help                show this help.
+  -i, --imap=HOST[:PORT]    use the given IMAP server (default "%(imap_addr)s").
+      --imaplib-debug       show raw IMAP messages (will include email password).
+  -l, --log FILENAME        write log to FILENAME (default "%(log)s").
+  -p, --pass=PASSFILE       use the email password contained in PASSFILE.
+      --pidfile FILENAME    write PID to FILENAME after daemonizing.
+      --privdrop-user USER  switch UID and GID to those of USER.
+      --unsafe-logging      don't scrub email password and IP addresses from logs.\
 """ % {
     "progname": sys.argv[0],
     "email_addr": DEFAULT_EMAIL_ADDRESS,
@@ -125,7 +127,7 @@ def log(msg):
 options.email_addr = DEFAULT_EMAIL_ADDRESS
 options.imap_addr = (DEFAULT_IMAP_HOST, DEFAULT_IMAP_PORT)
-opts, args = getopt.gnu_getopt(sys.argv[1:], "de:hi:l:p:", ["debug", "disable-pin", "email=", "help", "imap=", "imaplib-debug", "log=", "pass=", "pidfile=", "unsafe-logging"])
+opts, args = getopt.gnu_getopt(sys.argv[1:], "de:hi:l:p:", ["debug", "disable-pin", "email=", "help", "imap=", "imaplib-debug", "log=", "pass=", "pidfile=", "privdrop-user=", "unsafe-logging"])
 for o, a in opts:
     if o == "-d" or o == "--debug":
         options.daemonize = False
@@ -147,6 +149,8 @@ for o, a in opts:
         options.password_filename = a
     elif o == "--pidfile":
         options.pid_filename = a
+    elif o == "--privdrop-user":
+        options.privdrop_username = a
     elif o == "--unsafe-logging":
         options.safe_logging = False
@@ -191,6 +195,14 @@ if options.daemonize:
             f.close()
         sys.exit(0)
+if options.privdrop_username is not None:
+    log(u"dropping privileges to those of user %s" % options.privdrop_username)
+    try:
+        fac.drop_privs(options.privdrop_username)
+    except BaseException, e:
+        print >> sys.stderr, "Can't drop privileges:", str(e)
+        sys.exit(1)
+
 if options.imaplib_debug:
     imaplib.Debug = 4
diff --git a/facilitator/facilitator-reg-daemon b/facilitator/facilitator-reg-daemon
index a935650..b250e71 100755
--- a/facilitator/facilitator-reg-daemon
+++ b/facilitator/facilitator-reg-daemon
@@ -35,6 +35,7 @@ class options(object):
     log_file = sys.stdout
     daemonize = True
     pid_filename = None
+    privdrop_username = None
     safe_logging = True
def usage(f = sys.stdout):
@@ -45,13 +46,14 @@ registrations and registers them with a local facilitator. This program
 exists on its own in order to isolate the reading of key material in a
 single process.
-  -d, --debug             don't daemonize, log to stdout.
-  -h, --help              show this help.
-  -k, --key=KEYFILE       read the private key from KEYFILE (required).
-  -l, --log FILENAME      write log to FILENAME (default "%(log)s").
-  -p, --port PORT         listen on PORT (by default %(port)d).
-      --pidfile FILENAME  write PID to FILENAME after daemonizing.
-      --unsafe-logging    don't scrub email password and IP addresses from logs.\
+  -d, --debug               don't daemonize, log to stdout.
+  -h, --help                show this help.
+  -k, --key=KEYFILE         read the private key from KEYFILE (required).
+  -l, --log FILENAME        write log to FILENAME (default "%(log)s").
+  -p, --port PORT           listen on PORT (by default %(port)d).
+      --pidfile FILENAME    write PID to FILENAME after daemonizing.
+      --privdrop-user USER  switch UID and GID to those of USER.
+      --unsafe-logging      don't scrub email password and IP addresses from logs.\
 """ % {
     "progname": sys.argv[0],
     "log": DEFAULT_LOG_FILENAME,
@@ -134,7 +136,7 @@ class Server(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
 def main():
     global rsa
-    opts, args = getopt.gnu_getopt(sys.argv[1:], "dhk:l:p:", ["debug", "help", "key=", "log=", "port=", "pidfile=", "unsafe-logging"])
+    opts, args = getopt.gnu_getopt(sys.argv[1:], "dhk:l:p:", ["debug", "help", "key=", "log=", "port=", "pidfile=", "privdrop-user=", "unsafe-logging"])
     for o, a in opts:
         if o == "-d" or o == "--debug":
             options.daemonize = False
@@ -150,6 +152,8 @@ def main():
             options.listen_port = int(a)
         elif o == "--pidfile":
             options.pid_filename = a
+        elif o == "--privdrop-user":
+            options.privdrop_username = a
         elif o == "--unsafe-logging":
             options.safe_logging = False
@@ -198,6 +202,14 @@ def main():
                 f.close()
             sys.exit(0)
+    if options.privdrop_username is not None:
+        log(u"dropping privileges to those of user %s" % options.privdrop_username)
+        try:
+            fac.drop_privs(options.privdrop_username)
+        except BaseException, e:
+            print >> sys.stderr, "Can't drop privileges:", str(e)
+            sys.exit(1)
+
     try:
         server.serve_forever()
     except KeyboardInterrupt:

    