From 7dfac00cffc08f62ca827c5fae1f04cb3920d625 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 01:57:09 +0100
Subject: net.server: Set sslctx to false when SSL wrapping fails, to avoid
 attempting to wrap clients with a broken context

---
 net/server.lua | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/server.lua b/net/server.lua
index e31333e2..b0e0eb78 100644
--- a/net/server.lua
+++ b/net/server.lua
@@ -189,6 +189,7 @@ wrapserver = function( listeners, socket, ip, serverport, pattern, sslctx, maxco
         end
     end
     if not ssl then
+      sslctx = false;
       out_put("server.lua: ", "ssl not enabled on ", serverport);
     end
 
-- 
cgit v1.2.3


From 49705c8ca43919c3c6474159a5474e18b2649193 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 02:32:00 +0100
Subject: mod_console: Set default_interface to 127.0.0.1

---
 plugins/mod_console.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/mod_console.lua b/plugins/mod_console.lua
index 3248ca8c..3e978900 100644
--- a/plugins/mod_console.lua
+++ b/plugins/mod_console.lua
@@ -14,7 +14,7 @@ local prosody = _G.prosody;
 local hosts = prosody.hosts;
 local connlisteners_register = require "net.connlisteners".register;
 
-local console_listener = { default_port = 5582; default_mode = "*l"; };
+local console_listener = { default_port = 5582; default_mode = "*l"; default_interface = "127.0.0.1" };
 
 require "util.iterators";
 local jid_bare = require "util.jid".bare;
-- 
cgit v1.2.3


From 43d40acd96caab4feff63dbb1797efa1158285ac Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 02:33:10 +0100
Subject: prosody: Correctly allow console ports to be changed through the
 config

---
 prosody | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/prosody b/prosody
index 404dc3ea..b6247f21 100755
--- a/prosody
+++ b/prosody
@@ -188,6 +188,7 @@ end
 
 -- start listening on sockets
 function net_activate_ports(option, listener, default, conntype)
+	if not cl.get(listener) then return; end
 	local ports = config.get("*", "core", option.."_ports") or default;
 	if type(ports) == "number" then ports = {ports} end;
 	
@@ -215,10 +216,7 @@ net_activate_ports("c2s", "xmppclient", {5222}, (global_ssl_ctx and "tls") or "t
 net_activate_ports("s2s", "xmppserver", {5269}, "tcp");
 net_activate_ports("component", "xmppcomponent", {}, "tcp");
 net_activate_ports("legacy_ssl", "xmppclient", {}, "ssl");
-
-if cl.get("console") then
-	cl.start("console", { interface = config.get("*", "core", "console_interface") or "127.0.0.1" })
-end
+net_activate_ports("console", "console", {5582}, "tcp");
 
 -- Catch global accesses --
 local locked_globals_mt = { __index = function (t, k) error("Attempt to read a non-existent global '"..k.."'", 2); end, __newindex = function (t, k, v) error("Attempt to set a global: "..tostring(k).." = "..tostring(v), 2); end }
-- 
cgit v1.2.3


From 70f4cd7cb7da874196044c896d338b9dcda60e7b Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 03:06:49 +0100
Subject: net.server: Remove listener from listeners table when calling
 removeserver

---
 net/server.lua | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/server.lua b/net/server.lua
index b0e0eb78..6ff39926 100644
--- a/net/server.lua
+++ b/net/server.lua
@@ -690,6 +690,7 @@ removeserver = function( port )
         return nil, "no server found on port '" .. tostring( port ) "'"
     end
     handler.close( )
+    _server[ port ] = nil
     return true
 end
 
-- 
cgit v1.2.3


From 1e86adb61962b913395c373d60982c0061a7b4e7 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 03:40:01 +0100
Subject: pposix: Add setgid() function

---
 util-src/pposix.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/util-src/pposix.c b/util-src/pposix.c
index 70c15281..993e6e87 100644
--- a/util-src/pposix.c
+++ b/util-src/pposix.c
@@ -25,6 +25,7 @@
 
 #include <syslog.h>
 #include <pwd.h>
+#include <grp.h>
 
 #include <string.h>
 #include <errno.h>
@@ -291,6 +292,64 @@ int lc_setuid(lua_State* L)
 	return 2;
 }
 
+int lc_setgid(lua_State* L)
+{
+	int gid = -1;
+	if(lua_gettop(L) < 1)
+		return 0;
+	if(!lua_isnumber(L, 1) && lua_tostring(L, 1))
+	{
+		/* Passed GID is actually a string, so look up the GID */
+		struct group *g;
+		g = getgrnam(lua_tostring(L, 1));
+		if(!g)
+		{
+			lua_pushboolean(L, 0);
+			lua_pushstring(L, "no-such-group");
+			return 2;
+		}
+		gid = g->gr_gid;
+	}
+	else
+	{
+		gid = lua_tonumber(L, 1);
+	}
+	
+	if(gid>-1)
+	{
+		/* Ok, attempt setgid */
+		errno = 0;
+		if(setgid(gid))
+		{
+			/* Fail */
+			lua_pushboolean(L, 0);
+			switch(errno)
+			{
+			case EINVAL:
+				lua_pushstring(L, "invalid-gid");
+				break;
+			case EPERM:
+				lua_pushstring(L, "permission-denied");
+				break;
+			default:
+				lua_pushstring(L, "unknown-error");
+			}
+			return 2;
+		}
+		else
+		{
+			/* Success! */
+			lua_pushboolean(L, 1);
+			return 1;
+		}
+	}
+	
+	/* Seems we couldn't find a valid GID to switch to */
+	lua_pushboolean(L, 0);
+	lua_pushstring(L, "invalid-gid");
+	return 2;
+}
+
 /*	Like POSIX's setrlimit()/getrlimit() API functions.
  *	
  *	Syntax:
@@ -420,9 +479,13 @@ int luaopen_util_pposix(lua_State *L)
 
 	lua_pushcfunction(L, lc_getuid);
 	lua_setfield(L, -2, "getuid");
+	lua_pushcfunction(L, lc_getgid);
+	lua_setfield(L, -2, "getgid");
 
 	lua_pushcfunction(L, lc_setuid);
 	lua_setfield(L, -2, "setuid");
+	lua_pushcfunction(L, lc_setgid);
+	lua_setfield(L, -2, "setgid");
 	
 	lua_pushcfunction(L, lc_setrlimit);
 	lua_setfield(L, -2, "setrlimit");
-- 
cgit v1.2.3


From 59c01041069ba69838a735694f7e05e85d9d14a5 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 03:47:06 +0100
Subject: pposix, mod_posix: Bump pposix version number

---
 plugins/mod_posix.lua | 2 +-
 util-src/pposix.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/mod_posix.lua b/plugins/mod_posix.lua
index c00482c5..0f46888d 100644
--- a/plugins/mod_posix.lua
+++ b/plugins/mod_posix.lua
@@ -7,7 +7,7 @@
 --
 
 
-local want_pposix_version = "0.3.0";
+local want_pposix_version = "0.3.1";
 
 local pposix = assert(require "util.pposix");
 if pposix._VERSION ~= want_pposix_version then module:log("warn", "Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version); end
diff --git a/util-src/pposix.c b/util-src/pposix.c
index 993e6e87..d27a84b1 100644
--- a/util-src/pposix.c
+++ b/util-src/pposix.c
@@ -13,7 +13,7 @@
 * POSIX support functions for Lua
 */
 
-#define MODULE_VERSION "0.3.0"
+#define MODULE_VERSION "0.3.1"
 
 #include <stdlib.h>
 #include <unistd.h>
-- 
cgit v1.2.3


From 3417c24b8854ccf3cad8249e80ab9c81bb2081a2 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 23 Jul 2009 03:58:14 +0100
Subject: prosodyctl: Also switch group when we switch user

---
 prosodyctl | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/prosodyctl b/prosodyctl
index 81a1bd16..358ec9ea 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -66,19 +66,28 @@ require "util.datamanager".set_data_path(data_path);
 
 -- Switch away from root and into the prosody user --
 local switched_user, current_uid;
+
+local want_pposix_version = "0.3.1";
 local ok, pposix = pcall(require, "util.pposix");
+
 if ok and pposix then
+	if pposix._VERSION ~= want_pposix_version then print(string.format("Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version)); return; end
 	current_uid = pposix.getuid();
 	if current_uid == 0 then
 		-- We haz root!
 		local desired_user = config.get("*", "core", "prosody_user") or "prosody";
-		local ok, err = pposix.setuid(desired_user);
+		local desired_group = config.get("*", "core", "prosody_group") or desired_user;
+		local ok, err = pposix.setgid(desired_group);
 		if ok then
-			-- Yay!
-			switched_user = true;
-		else
+			ok, err = pposix.setuid(desired_user);
+			if ok then
+				-- Yay!
+				switched_user = true;
+			end
+		end
+		if not switched_user then
 			-- Boo!
-			print("Warning: Couldn't switch to Prosody user '"..tostring(desired_user).."': "..tostring(err));
+			print("Warning: Couldn't switch to Prosody user/group '"..tostring(desired_user).."'/'"..tostring(desired_group).."': "..tostring(err));
 		end
 	end
 else
-- 
cgit v1.2.3


From 23a10d0390865c0e359e3a2e8faa53bd332a2941 Mon Sep 17 00:00:00 2001
From: Matthias Diene <devnull@localhost>
Date: Thu, 23 Jul 2009 12:01:00 +0100
Subject: net.server: Fail to open port if legacy SSL requested, but SSL not
 available

---
 net/server.lua | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/server.lua b/net/server.lua
index 6ff39926..6fe72712 100644
--- a/net/server.lua
+++ b/net/server.lua
@@ -190,7 +190,12 @@ wrapserver = function( listeners, socket, ip, serverport, pattern, sslctx, maxco
     end
     if not ssl then
       sslctx = false;
-      out_put("server.lua: ", "ssl not enabled on ", serverport);
+      if startssl then
+         out_error( "server.lua: Cannot start ssl on port: ", serverport )
+         return nil, "Cannot start ssl,  see log for details"
+       else
+         out_put("server.lua: ", "ssl not enabled on ", serverport);
+       end
     end
 
     local accept = socket.accept
-- 
cgit v1.2.3