On Fri, Dec 13, 2019 at 12:42:03PM +0100, Alex Gladkov wrote:
> diff --git a/hasher-priv/config.c b/hasher-priv/config.c
> index e3fedcd..6b6bdb1 100644
> --- a/hasher-priv/config.c
> +++ b/hasher-priv/config.c
> @@ -1,6 +1,7 @@
>
>  /*
>    Copyright (C) 2003-2019  Dmitry V. Levin <ldv@altlinux.org>
> +  Copyright (C) 2019  Alexey Gladkov <legion@altlinux.org>
>
>    Configuration support module for the hasher-priv program.
>
> @@ -19,13 +20,17 @@
>  #include <unistd.h>
>  #include <limits.h>
>  #include <pwd.h>
> +#include <grp.h>
>
>  #include "priv.h"
>  #include "xmalloc.h"
> +#include "logging.h"
>
>  const char *const *chroot_prefix_list;
>  const char *chroot_prefix_path;
>  const char *change_user1, *change_user2;
> +char *server_control_group = NULL;
> +char *server_pidfile = NULL;
>  const char *term;
>  const char *x11_display, *x11_key;
>  str_list_t allowed_devices;
> @@ -33,6 +38,8 @@ str_list_t allowed_mountpoints;
>  str_list_t requested_mountpoints;
>  uid_t   change_uid1, change_uid2;
>  gid_t   change_gid1, change_gid2;
> +gid_t   server_gid;
> +unsigned long server_session_timeout = 0;
>  mode_t  change_umask = 022;
>  int change_nice = 8;
>  int     makedev_console;
> @@ -42,6 +49,7 @@ int share_caller_network = 0;
>  int share_ipc = -1;
>  int share_network = -1;
>  int share_uts = -1;
> +int server_log_priority = -1;
>  change_rlimit_t change_rlimit[] = {
>
>  /* Per-process CPU limit, in seconds.  */
> @@ -209,7 +217,7 @@ parse_rlim(const char *name, const char *value, const char *optname,
>  }
>
>  static unsigned long
> -str2wlim(const char *name, const char *value, const char *filename)
> +str2ul(const char *name, const char *value, const char *filename)
>  {
>  	char   *p = 0;
>  	unsigned long long n;
> @@ -229,7 +237,7 @@ static void
>  modify_wlim(unsigned long *pval, const char *value,
>  	    const char *optname, const char *filename, int is_system)
>  {
> -	unsigned long val = str2wlim(optname, value, filename);
> +	unsigned long val = str2ul(optname, value, filename);
>
>  	if (is_system || *pval == 0 || (val > 0 && val < *pval))
>  		*pval = val;
> @@ -633,3 +641,134 @@ parse_env(void)
>  	if ((e = getenv("requested_mountpoints")))
>  		parse_str_list(e, &requested_mountpoints);
>  }
> +
> +static void
> +check_server_control_group(void)

Bad (IOW, unlucky) naming; especially since in a later patch
hasher-privd deals with cgroups.

Is this related to the socket inode's gid in /run?

> +{
> +	struct group *gr;
> +
> +	if (!server_control_group || !*server_control_group)
> +		error(EXIT_FAILURE, 0, "config: undefined: control_group");
> +
> +	gr = getgrnam(server_control_group);
> +
> +	if (!gr || !gr->gr_name)
> +		error(EXIT_FAILURE, 0, "config: control_group: %s lookup failure", server_control_group);
> +
> +	server_gid = gr->gr_gid;
> +}
> +
> +static void
> +set_server_config(const char *name, const char *value, const char *filename)
> +{
> +	if (!strcasecmp("priority", name)) {
> +		server_log_priority = logging_level(value);
> +	} else if (!strcasecmp("session_timeout", name)) {
> +		server_session_timeout = str2ul(name, value, filename);
> +	} else if (!strcasecmp("pidfile", name)) {
> +		free(server_pidfile);
> +		server_pidfile = xstrdup(value);
> +	} else if (!strcasecmp("control_group", name)) {
> +		free(server_control_group);
> +		server_control_group = xstrdup(value);
> +	} else {
> +		bad_option_name(name, filename);
> +	}
> +}
> +
> +static void
> +read_server_config(int fd, const char *name)
> +{
> +	FILE *fp = fdopen(fd, "r");
> +	char buf[BUFSIZ];
> +	unsigned line;
> +
> +	if (!fp)
> +		error(EXIT_FAILURE, errno, "fdopen: %s", name);
> +
> +	for (line = 1; fgets(buf, BUFSIZ, fp); ++line) {
> +		const char *start, *left;
> +		char   *eq, *right, *end;
> +
> +		for (start = buf; *start && isspace(*start); ++start)
> +			;
> +
> +		if (!*start || '#' == *start)
> +			continue;
> +
> +		if (!(eq = strchr(start, '=')))
> +			error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
> +			      name, line);
> +
> +		left = start;
> +		right = eq + 1;
> +
> +		for (; eq > left; --eq)
> +			if (!isspace(eq[-1]))
> +				break;
> +
> +		if (left == eq)
> +			error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
> +			      name, line);
> +
> +		*eq = '\0';
> +		end = right + strlen(right);
> +
> +		for (; right < end; ++right)
> +			if (!isspace(*right))
> +				break;
> +
> +		for (; end > right; --end)
> +			if (!isspace(end[-1]))
> +				break;
> +
> +		*end = '\0';
> +		set_server_config(left, right, name);
> +	}
> +
> +	if (ferror(fp))
> +		error(EXIT_FAILURE, errno, "fgets: %s", name);
> +
> +	if (fclose(fp))
> +		error(EXIT_FAILURE, errno, "fclose: %s", name);
> +}
> +
> +static void
> +load_server_config(const char *name)
> +{
> +	struct stat st;
> +	int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NOCTTY);
> +
> +	if (fd < 0)
> +		error(EXIT_FAILURE, errno, "open: %s", name);
> +
> +	if (fstat(fd, &st) < 0)
> +		error(EXIT_FAILURE, errno, "fstat: %s", name);
> +
> +	stat_root_ok_validator(&st, name);
> +
> +	if (!S_ISREG(st.st_mode))
> +		error(EXIT_FAILURE, 0, "%s: not a regular file", name);
> +
> +	if (st.st_size > MAX_CONFIG_SIZE)
> +		error(EXIT_FAILURE, 0, "%s: file too large: %lu",
> +		      name, (unsigned long) st.st_size);
> +
> +	read_server_config(fd, name);
> +}
> +
> +void
> +configure_server(void)
> +{
> +	safe_chdir("/", stat_root_ok_validator);
> +	safe_chdir("etc/hasher-priv", stat_root_ok_validator);
> +	load_server_config("server");
> +	check_server_control_group();
> +}
> +
> +void
> +free_server_configuration(void)
> +{
> +	free(server_pidfile);
> +	free(server_control_group);
> +}