[Chilli] uid and gid not working

Daniel Berteaud daniel at firewall-services.com
Mon May 3 06:55:20 UTC 2010


Thanks, I'll try this ASAP.

Regards, Daniel.

Le lundi 03 mai 2010 à 08:52 +0200, David Bird a écrit :
> Hi Daniel, See the subversion repo for some changes with regard to
> uid/gid handling. Chilli will chown() the config.bin file
> appropriately. 
> 
> On Fri, 2010-04-30 at 09:33 +0200, David Bird wrote:
> > Thanks, will review before putting out 1.2.3. 
> > 
> > The use of the binary configuration file comes from the desire to split
> > off the "parsing and resolving" of the configuration file from the main
> > chilli server. Previously, when chilli re-read it's configuration
> > (either from HUP or --interval), it would stall the main loop (meaning,
> > all traffic stops) while rereading the configuration - which involves
> > DNS lookups, etc. Now, chilli server kicks off the command line util
> > chilli_opt for configuration file parsing, resolving, and writing to a
> > binary file, which chilli server (and other chilli_* servers) can reread
> > with no waiting. It is also possible to run chilli_opt yourself and give
> > chilli the SIGUSR1 to have it reread the binary configuration. 
> > 
> > David
> > 
> > On Thu, 2010-04-29 at 08:40 +0200, Daniel Berteaud wrote:
> > > Hi.
> > > 
> > > I use coova-chilli 1.0.13 on my server, with uid and gid options to
> > > limit the privileges (I'm not very found of publically accessible
> > > daemons with root privileges). It's working, even if I get the following
> > > message in the log when I start chilli:
> > > 
> > > coova-chilli[11928]: chilli.c: 3766: 1 (Operation not permitted)
> > > setgid(460) failed while running with gid = 0
> > > 
> > > So it seems that droping uid works but not gid
> > > 
> > > I've tried with coova-chilli 1.2.2, but now uid and gid don't work at
> > > all because chilli generate the binary configuration in /tmp/chilli-XXX
> > > and this directory is 700 root:root
> > > 
> > > Are the uid/gid options not supported anymore ?
> > > 
> > > And why chilli now uses this binary config file in /tmp ?
> > > 
> > > Regards, Daniel
> > > 
> > 
> > 
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> 
> 

-- 
Daniel Berteaud
FIREWALL-SERVICES SARL.
Société de Services en Logiciels Libres
Technopôle Montesquieu
33650 MARTILLAC
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Mail: daniel at firewall-services.com
Web : http://www.firewall-services.com



More information about the Chilli mailing list