$Log$
+ Revision 590.25 2001/12/30 05:50:46 error
+ * Security: Citadel now drops privileges when called from telnetd, also
+ checks to make sure you didn't set the setuid/setgid bits. No more
+ loginwrapper.sh!
+
Revision 590.24 2001/12/29 05:19:32 ajc
* Minor cosmetic hack
Fri Jul 10 1998 Art Cancro <ajc@uncensored.citadel.org>
* Initial CVS import
-
int stored_password = 0;
char password[SIZ];
+ /* Permissions sanity check - don't run citadel setuid/setgid */
+ if (getuid() != geteuid()) {
+ fprintf(stderr, "Please do not run citadel setuid!\n");
+ logoff(3);
+ } else if (getgid() != getegid()) {
+ fprintf(stderr, "Please do not run citadel setgid!\n");
+ logoff(3);
+ }
+
sttybbs(SB_SAVE); /* Store the old terminal parameters */
load_command_set(); /* parse the citadel.rc file */
sttybbs(SB_NO_INTR); /* Install the new ones */
argc = shift(argc, argv, a, 2);
}
if (!strcmp(argv[a], "-p")) {
+ struct stat st;
+
+ if (chdir(BBSDIR) < 0) {
+ perror("can't change to " BBSDIR);
+ logoff(3);
+ }
+
+ /*
+ * Drop privileges if necessary. We stat
+ * citadel.config to get the uid/gid since it's
+ * guaranteed to have the uid/gid we want.
+ */
+ if (!getuid() || !getgid()) {
+ if (stat(BBSDIR "/citadel.config", &st) < 0) {
+ perror("couldn't stat citadel.config");
+ logoff(3);
+ }
+ if (!getgid() && (setgid(st.st_gid) < 0)) {
+ perror("couldn't change gid");
+ logoff(3);
+ }
+ if (!getuid() && (setuid(st.st_uid) < 0)) {
+ perror("couldn't change uid");
+ logoff(3);
+ }
+ /*
+ printf("Privileges changed to uid %d gid %d\n",
+ getuid(), getgid());
+ */
+ }
argc = shift(argc, argv, a, 1);
}
}
If you normally log in to your host system using some method other than
telnet (such as ssh), you might want the telnet service to go straight to
the Citadel BBS, instead of displaying the "login:" prompt first. You can
-do this using the "loginwrapper.sh" wrapper program.
+do this by having telnetd start citadel directly instead of /bin/login.
+
+ An example for inetd:
- telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /usr/local/citadel/loginwrapper.sh
-
+ telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /usr/local/citadel/citadel
+
+ An example for xinetd:
+
+ service telnet
+ {
+ flags = REUSE
+ socket_type = stream
+ wait = no
+ user = root
+ server = /usr/sbin/in.telnetd
+ server_args = -L /usr/local/citadel/citadel
+ log_on_failure += USERID
+ disable = no
+ }
+
Please make sure you know what you're doing before you install this!