[JDEV] Suggestion for JDEV (security)
kadokev at msg.net
kadokev at msg.net
Fri Jun 1 13:07:23 CDT 2001
I've seen a number of people are running 'jabberd' as the root user.
Suggestion- a change in the main() for jabberd, such that the program will
print/log a warning message at startup if the real or effective uid
or gid is 0.
I'd suggest simply refusing to run, but that might be going a bit far :-)
Kevin Kadow
MSG.Net, Inc.
----CUT HERE----
*** jabberd.c.orig Fri Jun 1 12:58:10 2001
--- jabberd.c Fri Jun 1 13:02:36 2001
***************
*** 66,71 ****
--- 66,77 ----
xmlnode pidfile;
char *pidpath;
+ /* Check if my real or effective UID/GID is root */
+ if(!getuid() || !geteuid() || !getgid() || !getegid() )
+ {
+ fprintf(stderr, "WARNING! It is not recommended to run the jabberd as roo
t.\n Starting with a real or effective uid/gid of 0.\n");
+ }
+
jabberd__runtime = pool_new();
/* start by assuming the parameters were entered correctly */
----CUT HERE----
Comments?
More information about the JDev
mailing list