.\" ========================================================================
.\"
.IX Title "swtpm 8"
-.TH swtpm 8 "2015-12-20" "swtpm" ""
+.TH swtpm 8 "2015-12-26" "swtpm" ""
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IX Item "--pid file=<pidfile>"
This options allows to set the name of file where the process \s-1ID \s0(pid) of the \s-1TPM\s0
will be written into.
+.IP "\fB\-r|\-\-runas <owner>\fR" 4
+.IX Item "-r|--runas <owner>"
+Switch to the given user. This option can only be used when swtpm is started as root.
.IP "\fB\-h|\-\-help\fR" 4
.IX Item "-h|--help"
Display usage info.
This options allows to set the name of file where the process ID (pid) of the TPM
will be written into.
+=item B<-r|--runas E<lt>ownerE<gt>>
+
+Switch to the given user. This option can only be used when swtpm is started as root.
+
=item B<-h|--help>
Display usage info.
#include "swtpm_nvfile.h"
#include "tpmlib.h"
#include "main.h"
+#include "utils.h"
/* maximum size of request buffer */
#define TPM_REQ_MAX 4096
" : set the directory where the TPM's state will be written\n"
" into; the TPM_PATH environment variable can be used\n"
" instead\n"
+"-r|--runas <user> : after creating the CUSE device, change to the given\n"
+" user\n"
""
"-h|--help : display this help screen and terminate\n"
"\n";
static void ptm_init_done(void *userdata)
{
struct cuse_param *param = userdata;
- struct passwd *passwd = NULL;
+ int ret;
/* at this point the entry in /dev/ is available */
if (pidfile_write(getpid()) < 0) {
}
if (param->runas) {
- passwd = getpwnam(param->runas);
- if (!passwd) {
- logprintf(STDERR_FILENO,
- "Error: User '%s' does not exist.\n",
- param->runas);
- exit(-14);
- }
- if (initgroups(passwd->pw_name, passwd->pw_gid) < 0) {
- logprintf(STDERR_FILENO,
- "Error: initgroups(%s, %d) failed.\n",
- passwd->pw_name, passwd->pw_gid);
- exit(-10);
- }
- if (setgid(passwd->pw_gid) < 0) {
- logprintf(STDERR_FILENO,
- "Error: setgid(%d) failed.\n",
- passwd->pw_gid);
- exit(-11);
- }
- if (setuid(passwd->pw_uid) < 0) {
- logprintf(STDERR_FILENO,
- "Error: setuid(%d) failed.\n",
- passwd->pw_uid);
- exit(-12);
- }
+ ret = change_process_owner(param->runas);
+ if (ret)
+ exit(ret);
}
}
" : set the directory where the TPM's state will be written\n"
" into; the TPM_PATH environment variable can be used\n"
" instead\n"
+ "-r|--runas <user>: change to the given user\n"
"-h|--help : display this help screen and terminate\n"
"\n",
prgname, iface);
char *logdata = NULL;
char *piddata = NULL;
char *tpmstatedata = NULL;
+ char *runas = NULL;
#ifdef DEBUG
time_t start_time;
#endif
{"help" , no_argument, 0, 'h'},
{"port" , required_argument, 0, 'p'},
{"fd" , required_argument, 0, 'f'},
+ {"runas" , required_argument, 0, 'r'},
{"terminate" , no_argument, 0, 't'},
{"log" , required_argument, 0, 'l'},
{"key" , required_argument, 0, 'k'},
};
while (TRUE) {
- opt = getopt_long(argc, argv, "dhp:f:t", longopts, &longindex);
+ opt = getopt_long(argc, argv, "dhp:f:tr:", longopts, &longindex);
if (opt == -1)
break;
usage(stdout, prgname, iface);
exit(EXIT_SUCCESS);
+ case 'r':
+ runas = optarg;
+ break;
+
default:
usage(stderr, prgname, iface);
exit(EXIT_FAILURE);
}
}
+ /* change process ownership before accessing files */
+ if (runas) {
+ if (change_process_owner(runas) < 0)
+ return EXIT_FAILURE;
+ }
+
if (handle_log_options(logdata) < 0 ||
handle_key_options(keydata) < 0 ||
handle_pid_options(piddata) < 0 ||
" : set the directory where the TPM's state will be written\n"
" into; the TPM_PATH environment variable can be used\n"
" instead\n"
+ "-r|--runas <user>: change to the given user\n"
"-h|--help : display this help screen and terminate\n"
"\n",
prgname, iface);
char *piddata = NULL;
char *tpmstatedata = NULL;
char *ctrlchdata = NULL;
+ char *runas = NULL;
#ifdef DEBUG
time_t start_time;
#endif
{"help" , no_argument, 0, 'h'},
{"chardev" , required_argument, 0, 'c'},
{"fd" , required_argument, 0, 'f'},
+ {"runas" , required_argument, 0, 'r'},
{"log" , required_argument, 0, 'l'},
{"key" , required_argument, 0, 'k'},
{"pid" , required_argument, 0, 'P'},
};
while (TRUE) {
- opt = getopt_long(argc, argv, "dhc:f:", longopts, &longindex);
+ opt = getopt_long(argc, argv, "dhc:f:r:", longopts, &longindex);
if (opt == -1)
break;
usage(stdout, prgname, iface);
exit(EXIT_SUCCESS);
+ case 'r':
+ runas = optarg;
+ break;
+
default:
usage(stderr, prgname, iface);
exit(EXIT_FAILURE);
return EXIT_FAILURE;
}
+ /* change process ownership before accessing files */
+ if (runas) {
+ if (change_process_owner(runas) < 0)
+ return EXIT_FAILURE;
+ }
+
if (handle_log_options(logdata) < 0 ||
handle_key_options(keydata) < 0 ||
handle_pid_options(piddata) < 0 ||
#include "config.h"
+#include <grp.h>
+#include <pwd.h>
#include <fcntl.h>
#include <unistd.h>
err_exit:
return -1;
}
+
+int
+change_process_owner(const char *user)
+{
+ struct passwd *passwd = getpwnam(user);
+
+ if (!passwd) {
+ logprintf(STDERR_FILENO,
+ "Error: User '%s' does not exist.\n",
+ user);
+ return 14;
+ }
+ if (initgroups(passwd->pw_name, passwd->pw_gid) < 0) {
+ logprintf(STDERR_FILENO,
+ "Error: initgroups(%s, %d) failed.\n",
+ passwd->pw_name, passwd->pw_gid);
+ return -10;
+ }
+ if (setgid(passwd->pw_gid) < 0) {
+ logprintf(STDERR_FILENO,
+ "Error: setgid(%d) failed.\n",
+ passwd->pw_gid);
+ return -11;
+ }
+ if (setuid(passwd->pw_uid) < 0) {
+ logprintf(STDERR_FILENO,
+ "Error: setuid(%d) failed.\n",
+ passwd->pw_uid);
+ return -12;
+ }
+ return 0;
+}
typedef void (*sighandler_t)(int);
int install_sighandlers(int pipefd[2], sighandler_t handler);
+int change_process_owner(const char *owner);
#endif /* _SWTPM_UTILS_H_ */