drop privileges to _identd by default and fall back to nobody in case of error

inspired by PR 3294 and a conversation with theo

ok millert@

2 files changed, 16 insertions, 2 deletions

diff --git a/libexec/identd/identd.c b/libexec/identd/identd.c
index 50db4d2c3f7..e897b2f478a 100644
--- a/libexec/identd/identd.c
+++ b/libexec/identd/identd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: identd.c,v 1.33 2002/09/13 01:31:39 djm Exp $	*/
+/*	$OpenBSD: identd.c,v 1.34 2003/06/07 18:31:17 henning Exp $	*/
 
 /*
  * This program is in the public domain and may be used freely by anyone
@@ -158,6 +158,18 @@ main(int argc, char *argv[])
 	socklen_t len;
 
 	openlog(__progname, LOG_PID, LOG_DAEMON);
+
+	/* runs as _identd if possible, fallback to "nobody" */
+	if (getuid() == 0) {
+		if ((pwd = getpwnam(DEFAULT_UID)) == NULL)
+			pwd = getpwnam("nobody");
+		if (pwd == NULL)
+			ERROR1("no such user: neither %s nor nobody",
+			    DEFAULT_UID);
+		set_uid = pwd->pw_uid;
+		set_gid = pwd->pw_gid;
+	}
+
 	/*
 	 * Parse the command line arguments
 	 */
diff --git a/libexec/identd/identd.h b/libexec/identd/identd.h
index 7b4f277aab8..f50c7852ab0 100644
--- a/libexec/identd/identd.h
+++ b/libexec/identd/identd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: identd.h,v 1.14 2002/09/13 01:31:39 djm Exp $*/
+/*	$OpenBSD: identd.h,v 1.15 2003/06/07 18:31:17 henning Exp $*/
 
 /*
 **
@@ -15,6 +15,8 @@
 #ifndef __IDENTD_H__
 #define __IDENTD_H__
 
+#define DEFAULT_UID	"_identd"
+
 extern int verbose_flag;
 extern int debug_flag;
 extern int syslog_flag;