Zhang Huangbin avatar Zhang Huangbin committed 13031d7

New parameter: run_as_user. Used to force running iRedAPD as a low privileged user. Thanks rizkiwicaksono@forum.

Comments (0)

Files changed (7)

+iRedAPD-1.3.3:
+    * New parameter: run_as_user. Used to force running iRedAPD as a low
+      privileged user. Thanks rizkiwicaksono@forum.
+
 iRedAPD-1.3.2:
     * Fix bypassing whitelisted sender issue in plugin:
       block_amavisd_blacklisted_senders. Thanks HoHo for his report.
 Please read installation guide here:
 
 - For OpenLDAP backend:
-  http://www.iredmail.org/iredapd_installation.html
+  http://www.iredmail.org/wiki/index.php?title=Install/iRedAPD/OpenLDAP
 
 - For MySQL backend:
   http://www.iredmail.org/wiki/index.php?title=Install/iRedAPD/MySQL
+* Add creating user steps in installation guide.
+* Merge code of src/iredapd{-rr}.py

etc/iredapd-rr.ini.sample

 listen_addr     = 127.0.0.1
 listen_port     = 7778
 
+# Run as a low privileged user.
+# If you don't want to create one, you can try 'nobody'.
+run_as_user     = iredapd
+
 # Background/daemon mode: yes, no.
 # Detach iredapd from terminal. Enable when you're happy
 # that things are working as expected.

etc/iredapd.ini.sample

 listen_addr     = 127.0.0.1
 listen_port     = 7777
 
+# Run as a low privileged user.
+# If you don't want to create one, you can try 'nobody'.
+run_as_user     = iredapd
+
 # Background/daemon mode: yes, no.
 # Detach iredapd from terminal. It's recommended to always running as daemon.
 run_as_daemon   = yes

src/iredapd-rr.py

 import os
 import os.path
 import sys
+import pwd
 import ConfigParser
 import socket
 import asyncore
     # Set umask.
     os.umask(0077)
 
-    # Chroot in current directory.
-    try:
-        os.chdir(os.path.abspath(os.path.dirname(__file__)))
-    except:
-        pass
-
     # Get listen address/port.
     listen_addr = cfg.get('general', 'listen_addr', '127.0.0.1')
     listen_port = int(cfg.get('general', 'listen_port', '7777'))
     if run_as_daemon == 'yes':
         daemon.daemonize()
 
+    # Run as a low privileged user.
+    run_as_user = cfg.get('general', 'run_as_user', 'nobody')
+    uid = pwd.getpwnam(run_as_user)[2]
+
     try:
         # Write pid number into pid file.
         f = open(cfg.get('general', 'pid_file', '/var/run/iredapd.pid'), 'w')
         f.write(str(os.getpid()))
         f.close()
 
+        # Set uid.
+        os.setuid(uid)
+
         # Starting loop.
         asyncore.loop()
     except KeyboardInterrupt:
 import os
 import os.path
 import sys
+import pwd
 import ConfigParser
 import socket
 import asyncore
     # Set umask.
     os.umask(0077)
 
-    # Chroot in current directory.
-    try:
-        os.chdir(os.path.abspath(os.path.dirname(__file__)))
-    except:
-        pass
-
     # Get listen address/port.
     listen_addr = cfg.get('general', 'listen_addr', '127.0.0.1')
     listen_port = int(cfg.get('general', 'listen_port', '7777'))
     if run_as_daemon == 'yes':
         daemon.daemonize()
 
+    # Run as a low privileged user.
+    run_as_user = cfg.get('general', 'run_as_user', 'nobody')
+    uid = pwd.getpwnam(run_as_user)[2]
+
     try:
         # Write pid number into pid file.
         f = open(cfg.get('general', 'pid_file', '/var/run/iredapd.pid'), 'w')
         f.write(str(os.getpid()))
         f.close()
 
+        # Set uid.
+        os.setuid(uid)
+
         # Starting loop.
         asyncore.loop()
     except KeyboardInterrupt:
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.