annotate src/lib/restrict-access.h @ 9147:c002187195bd HEAD

Added restrict_get_groups_list() for easily getting list of process's groups.
author Timo Sirainen <tss@iki.fi>
date Sun, 21 Jun 2009 23:30:42 -0400
parents c9381a0fdc5e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6410
e4eb71ae8e96 Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents: 3863
diff changeset
1 #ifndef RESTRICT_ACCESS_H
e4eb71ae8e96 Changed .h ifdef/defines to use <NAME>_H format.
Timo Sirainen <tss@iki.fi>
parents: 3863
diff changeset
2 #define RESTRICT_ACCESS_H
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 /* set environment variables so they can be read with
7341
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
5 restrict_access_by_env(). If privileged_gid != (gid_t)-1,
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
6 the privileged GID can be temporarily enabled/disabled. */
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
7 void restrict_access_set_env(const char *user, uid_t uid,
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
8 gid_t gid, gid_t privileged_gid,
1506
e7c627bacaaf Allow first_valid_gid to be 0. Drop any supplementary groups not in valid
Timo Sirainen <tss@iki.fi>
parents: 1271
diff changeset
9 const char *chroot_dir,
2141
8690d2000e33 Added mail_extra_groups setting.
Timo Sirainen <tss@iki.fi>
parents: 1506
diff changeset
10 gid_t first_valid_gid, gid_t last_valid_gid,
8690d2000e33 Added mail_extra_groups setting.
Timo Sirainen <tss@iki.fi>
parents: 1506
diff changeset
11 const char *extra_groups);
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12
801
86224ff16bf6 Drop root privileges earlier. Close syslog more later in imap-master when
Timo Sirainen <tss@iki.fi>
parents: 0
diff changeset
13 /* chroot, setuid() and setgid() based on environment variables.
86224ff16bf6 Drop root privileges earlier. Close syslog more later in imap-master when
Timo Sirainen <tss@iki.fi>
parents: 0
diff changeset
14 If disallow_roots is TRUE, we'll kill ourself if we didn't have the
7109
e6823d781317 Reverted "environment array" changes. It broke overriding imap/pop3 settings
Timo Sirainen <tss@iki.fi>
parents: 7091
diff changeset
15 environment settings and we have root uid or gid. */
e6823d781317 Reverted "environment array" changes. It broke overriding imap/pop3 settings
Timo Sirainen <tss@iki.fi>
parents: 7091
diff changeset
16 void restrict_access_by_env(bool disallow_root);
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
17
8798
c9381a0fdc5e Improved logging for core dumping. With Linux use PR_SET_DUMPABLE for imap/pop3.
Timo Sirainen <tss@iki.fi>
parents: 7341
diff changeset
18 /* Try to set up the process in a way that core dumps are still allowed
c9381a0fdc5e Improved logging for core dumping. With Linux use PR_SET_DUMPABLE for imap/pop3.
Timo Sirainen <tss@iki.fi>
parents: 7341
diff changeset
19 after calling restrict_access_by_env(). */
c9381a0fdc5e Improved logging for core dumping. With Linux use PR_SET_DUMPABLE for imap/pop3.
Timo Sirainen <tss@iki.fi>
parents: 7341
diff changeset
20 void restrict_access_allow_coredumps(bool allow);
c9381a0fdc5e Improved logging for core dumping. With Linux use PR_SET_DUMPABLE for imap/pop3.
Timo Sirainen <tss@iki.fi>
parents: 7341
diff changeset
21
7341
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
22 /* If privileged_gid was set, these functions can be used to temporarily
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
23 gain access to the group. */
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
24 int restrict_access_use_priv_gid(void);
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
25 void restrict_access_drop_priv_gid(void);
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
26 /* Returns TRUE if privileged GID exists for this process. */
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
27 bool restrict_access_have_priv_gid(void);
af998ae4254b Replaced mail_extra_groups setting with mail_privileged_group and
Timo Sirainen <tss@iki.fi>
parents: 7109
diff changeset
28
9147
c002187195bd Added restrict_get_groups_list() for easily getting list of process's groups.
Timo Sirainen <tss@iki.fi>
parents: 8798
diff changeset
29 gid_t *restrict_get_groups_list(unsigned int *gid_count_r);
c002187195bd Added restrict_get_groups_list() for easily getting list of process's groups.
Timo Sirainen <tss@iki.fi>
parents: 8798
diff changeset
30
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
31 #endif