[Date Prev][Date Next] [Chronological] [Thread] [Top]

jail(2) support to OpenLDAP

To: openldap-devel@OpenLDAP.org
Subject: jail(2) support to OpenLDAP
From: "Oni (Paolo Meschi)" <paolo.meschi@gmail.com>
Date: Sun, 15 Jan 2006 20:48:56 +0100
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rGnlw543HTvg2lPy4ruNaILBRwIxWI/I2YOr76v49BNpIHIl/vVL+hJHwWnl/LJDd9q1vO4/unIEb8vuRlborWQ5fJXEqXPYxv4SzioaE5FDY1jlj4O1RVKz7GQnbYnFhOBsNJYc9N8qWC93Y4l5cNwG4OAk5cvtInMNj8XVdqI=

I wrote a patch that add the BSD jail(2) support to slapd(8), you can
find it at this address:

http://www.paolomeschi.com/patches/openldap/openldap-jail.patch

Any comments would be appreciated,

Paolo.

(A copy of this mail has been sent to the OpenLDAP ITS as software enhancement)

I attach down here a copy of the patch:
----------------------------------------------------------------------------------------------------------------

	Copyright 2006 Paolo Meschi <paolo.meschi@gmail.com>

	Redistribution and use in source and binary forms, with or
	without modification, are permitted only as authorized by
	the OpenLDAP Public License.

diff -rNu openldap/configure openldap-jail-patch/configure
--- openldap/configure	2006-01-10 04:07:51.000000000 +0100
+++ openldap-jail-patch/configure	2006-01-15 19:16:12.000000000 +0100
@@ -43391,6 +43391,7 @@
 	gettimeofday	\
 	initgroups		\
 	inet_ntoa_b		\
+	jail			\
 	lockf			\
 	memcpy			\
 	memmove			\
diff -rNu openldap/configure.in openldap-jail-patch/configure.in
--- openldap/configure.in	2006-01-10 04:07:58.000000000 +0100
+++ openldap-jail-patch/configure.in	2006-01-15 19:15:19.000000000 +0100
@@ -2572,6 +2572,7 @@
 	gettimeofday	\
 	initgroups		\
 	inet_ntoa_b		\
+	jail			\
 	lockf			\
 	memcpy			\
 	memmove			\
diff -rNu openldap/include/portable.hin openldap-jail-patch/include/portable.hin
--- openldap/include/portable.hin	2006-01-10 04:07:58.000000000 +0100
+++ openldap-jail-patch/include/portable.hin	2006-01-15 19:40:28.000000000 +0100
@@ -298,6 +298,9 @@
 /* Define to 1 if you have the <io.h> header file. */
 #undef HAVE_IO_H

+/* Define to 1 if you have the `jail' function. */
+#undef HAVE_JAIL
+
 /* define if you have Kerberos */
 #undef HAVE_KERBEROS

diff -rNu openldap/servers/slapd/main.c openldap-jail-patch/servers/slapd/main.c
--- openldap/servers/slapd/main.c	2006-01-03 23:12:14.000000000 +0100
+++ openldap-jail-patch/servers/slapd/main.c	2006-01-15 19:13:57.000000000 +0100
@@ -39,6 +39,10 @@
 #include "lutil.h"
 #include "ldif.h"

+#ifdef HAVE_JAIL
+#include <sys/jail.h>
+#endif
+
 #ifdef LDAP_SLAPI
 #include "slapi/slapi.h"
 #endif
@@ -291,6 +295,11 @@
 		"\t-g group\tGroup (id or name) to run as\n"
 #endif
 		"\t-h URLs\t\tList of URLs to serve\n"
+#ifdef HAVE_JAIL
+		"\t-H hostname\tHostname to jail to\n"
+		"\t-i IP\t\tIP address to jail to\n"
+		"\t-j directory\tSandbox directory to jail to\n"
+#endif
 #ifdef LOG_LOCAL4
 		"\t-l facility\tSyslog facility (default: LOCAL4)\n"
 #endif
@@ -334,6 +343,9 @@
 #if defined(HAVE_CHROOT)
 	char *sandbox = NULL;
 #endif
+#ifdef HAVE_JAIL
+	struct jail j = { 0, NULL, NULL, 0 };
+#endif
 #ifdef LOG_LOCAL4
 	int syslogUser = DEFAULT_SYSLOG_USER;
 #endif
@@ -429,6 +441,9 @@
 #ifdef HAVE_CHROOT
 				"r:"
 #endif
+#ifdef HAVE_JAIL
+				"i:j:H:"
+#endif
 #ifdef LDAP_SYSLOG
 				"S:"
 #endif
@@ -569,6 +584,25 @@
 			break;
 #endif

+#ifdef HAVE_JAIL
+		case 'j':
+			if( j.path ) free( j.path );
+			j.path = ch_strdup( optarg );
+			break;
+		case 'i':
+			if( ( j.ip_number = ntohl( inet_addr( optarg ) ) )  ==  INADDR_NONE ) {
+				fprintf( stderr, "invalid ip\n" );
+				usage( argv[0] );
+				rc = 1;
+				goto stop;
+			}
+			break;
+		case 'H':
+			if( j.hostname ) free( j.hostname );
+			j.hostname = ch_strdup( optarg );
+			break;
+#endif
+
 #if defined(HAVE_SETUID) && defined(HAVE_SETGID)
 		case 'u':	/* user name */
 			if( username ) free(username);
@@ -665,6 +699,46 @@
 		goto stop;
 	}

+#if defined(HAVE_JAIL)
+	if ( j.hostname && j.path && ( j.ip_number != 0 ) ) {
+#if defined(HAVE_CHROOT)
+		if( sandbox ) {
+			fprintf( stderr, "can't both chroot and jail\n" );
+			rc = 1;
+			goto stop;
+		}
+#endif /* HAVE_CHROOT */
+		if( chdir( j.path ) ) {
+			perror("chdir");
+			rc = 1;
+			goto stop;
+		}
+		j.version = 0;
+		if( jail( &j ) == -1 ) {
+			fprintf( stderr, "jail failed\n" );
+			perror("jail");
+			rc = 1;
+			goto stop;
+		}
+		if( chroot( "/" ) ) {
+			fprintf( stderr, "can't chroot to \"/\" after jail\n" );
+			perror("chroot");
+			rc = 1;
+			goto stop;
+		}
+	} else if( j.hostname || j.path || ( j.ip_number != 0 ) ) {
+		if( !j.hostname )
+			fprintf( stderr, "missing jail hostname\n" );
+		if( !j.path )
+			fprintf( stderr, "missing jail path\n" );
+		if( j.ip_number == 0 )
+			fprintf( stderr, "missing jail ip number\n" );
+		usage( argv[0] );
+		rc = 1;
+		goto stop;
+	}
+#endif
+
 #if defined(HAVE_CHROOT)
 	if ( sandbox ) {
 		if ( chdir( sandbox ) ) {

Follow-Ups:
- Re: jail(2) support to OpenLDAP
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: ITS#4247
Next by Date: [Fwd: (ITS#4337) inserting a bdb instance]
Index(es):
- Chronological
- Thread