Create /var/run/<process>.pid to play nicers with the start scripts

Need to start ipa_webgui as root and drop privs in order to write in /var/run
2025-02-25 18:55:28 -06:00 · 2008-02-06 11:02:05 -05:00 · 2008-02-06 11:02:05 -05:00 · 217019e9de
commit 217019e9de
parent ef5b4391de
3 changed files with 36 additions and 5 deletions
--- a/ipa-server/ipa-gui/ipa_webgui
+++ b/ipa-server/ipa-gui/ipa_webgui
@ -17,7 +17,7 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #

-import os, sys
+import os, sys, pwd, grp
 from optparse import OptionParser
 import ipa.config
 import traceback
@ -119,6 +119,27 @@ def main():
            sys.stderr.write("error becoming daemon: " + str(e))
            sys.exit(1)

+    # Drop privileges and write our pid file only if we're running as root
+    if os.getuid() == 0:
+        # Write out our pid file
+        pidfile = open("/var/run/ipa_webgui.pid", "w")
+        pidfile.write(str(os.getpid()))
+        pidfile.close()
+
+        # Drop privs
+        apache_uid = pwd.getpwnam("apache")[2]
+        apache_gid = grp.getgrnam("apache")[2]
+
+        try:
+            os.setgid(apache_gid)
+        except OSError, e:
+            log.error("Could not set effective group id: %s" % e)
+
+        try:
+            os.setuid(apache_uid)
+        except OSError, e:
+            log.error("Could not set effective user id: %s" % e)
+
    sys.path.append("/usr/share/ipa")

    # this must be after sys.path is changed to work correctly
--- a/ipa-server/ipa-gui/ipa_webgui.init
+++ b/ipa-server/ipa-gui/ipa_webgui.init
@ -30,7 +30,7 @@ RUNAS="apache"

 start() {
 	echo -n $"Starting $NAME: "
-	daemon --user $RUNAS $PROG
+	daemon $PROG
 	RETVAL=$?
 	echo
 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ipa_webgui || \
--- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c
+++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
@ -1110,7 +1110,7 @@ int main(int argc, char *argv[])
 	/* do not keep any fs busy */
 	ret = chdir("/");
 	if (ret == -1) {
-		syslog(LOG_ERR, "Unable to chage dir to '/'");
+		syslog(LOG_ERR, "Unable to change dir to '/'");
 		exit(-1);
 	}

@ -1126,8 +1126,8 @@ int main(int argc, char *argv[])

 	/* new session */
 	setsid();
-	/* close std* descriptors */

+	/* close std* descriptors */
 	close(0);
 	close(1);
 	close(2);
@ -1142,7 +1142,7 @@ int main(int argc, char *argv[])
 		exit(0);
 	}

-	/* source evn vars */
+	/* source env vars */
 	env = getenv("KRB5_KTNAME");
 	if (!env) {
 		env = DEFAULT_KEYTAB;
@ -1167,6 +1167,16 @@ int main(int argc, char *argv[])
 		exit(1);
 	}

+	/* Write out the pid file after the sigterm handler */
+	FILE *f = fopen("/var/run/ipa_kpasswd.pid", "w");
+	if (f == NULL) {
+		syslog(LOG_ERR,"Couldn't create pid file /var/run/ipa_kpasswd.pid: %s", strerror(errno));
+		exit(1);
+	} else {
+		fprintf(f, "%ld\n", (long) getpid());
+		fclose(f);
+	}
+
 	tai = ai;
 	nfds = 0;
 	/* we can have a maximum of 4 sockets (IPv4/IPv6(TCP/UDP)) */