[stunnel-users] privileges not dropped before libwrap processes are spawned

Michal Trojnara Michal.Trojnara at mirt.net
Wed Nov 25 21:01:37 CET 2009


Micah Anderson wrote:
> I recently stumbled on
> http://mirt.net/pipermail/stunnel-users/2008-May/001977.html which is
> exactly what I am seeing with version 4.27 of stunnel, namely the  
> daemon
> is not switching to the setuid/setgid specified in the config before  
> it
> is spawned.
>
> This means that I get 6 processes, 5 run as root with only one (albeit
> the one lisenting on the specified sockets) dropping privs to the
> specified user.

That's how it was designed.  5 helper processes that only perform  
libwrap checking do not perform chroot/setuid/setgid.  If you don't  
like it just disable libwrap support:

	./configure --disable-libwrap && make clean && make && make install

Best regards,
	Mike



More information about the stunnel-users mailing list