Merge branch 'chroot' into bfgminer

README

@@ -181,6 +181,7 @@ Options for both config file and command line:
 --api-port          Port number of miner API (default: 4028)
 --balance           Change multipool strategy from failover to even share balance
 --benchmark         Run BFGMiner in benchmark mode - produces no shares
+--chroot-dir <arg>  Chroot to a directory right after startup
 --cmd-idle <arg>    Execute a command when a device is allowed to be idle (rest or wait)
 --cmd-sick <arg>    Execute a command when a device is declared sick
 --cmd-dead <arg>    Execute a command when a device is declared dead
@@ -228,6 +229,7 @@ Options for both config file and command line:
 --sched-start <arg> Set a time of day in HH:MM to start mining (a once off without a stop time)
 --sched-stop <arg>  Set a time of day in HH:MM to stop mining (will quit without a start time)
 --scrypt            Use the scrypt algorithm for mining (non-bitcoin)
+--setuid <arg>      Username of an unprivileged user to run as
 --sharelog <arg>    Append share log to file
 --shares <arg>      Quit after mining N shares (default: unlimited)
 --show-processors   Show per processor statistics in summary

configure.ac

@@ -74,6 +74,14 @@ AC_CHECK_HEADERS([sys/epoll.h])
 AC_CHECK_HEADERS([sys/prctl.h])
 AC_CHECK_HEADERS([sys/file.h])
 
+AC_CHECK_HEADERS([sys/file.h])
+
+# Setuid
+AC_CHECK_HEADERS([pwd.h])
+
+# Check for chroot support
+AC_CHECK_FUNCS([chroot])
+
 AC_FUNC_ALLOCA
 
 have_cygwin=false

miner.c

@@ -40,6 +40,10 @@
 #include <sys/types.h>
 #include <dirent.h>
 
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
 #ifndef WIN32
 #include <sys/resource.h>
 #include <sys/socket.h>
@@ -378,6 +382,14 @@ char *cmd_idle, *cmd_sick, *cmd_dead;
 	static int forkpid;
 #endif // defined(unix)
 
+#ifdef HAVE_CHROOT
+char *chroot_dir;
+#endif
+
+#ifdef HAVE_PWD_H
+char *opt_setuid;
+#endif
+
 struct sigaction termhandler, inthandler;
 
 struct thread_q *getq;
@@ -1473,6 +1485,11 @@ static struct opt_table opt_config_table[] = {
 	OPT_WITH_ARG("--bench-algo|-b",
 		     set_int_0_to_9999, opt_show_intval, &opt_bench_algo,
 		     opt_hidden),
+#endif
+#ifdef HAVE_CHROOT
+        OPT_WITH_ARG("--chroot-dir",
+                     opt_set_charp, NULL, &chroot_dir,
+                     "Chroot to a directory right after startup"),
 #endif
 	OPT_WITH_ARG("--cmd-idle",
 	             opt_set_charp, NULL, &cmd_idle,
@@ -1776,6 +1793,11 @@ static struct opt_table opt_config_table[] = {
 		     set_shaders, NULL, NULL,
 		     "GPU shaders per card for tuning scrypt, comma separated"),
 #endif
+#endif
+#ifdef HAVE_PWD_H
+        OPT_WITH_ARG("--setuid",
+                     opt_set_charp, NULL, &opt_setuid,
+                     "Username of an unprivileged user to run as"),
 #endif
 	OPT_WITH_ARG("--sharelog",
 		     set_sharelog, NULL, NULL,
@@ -10049,6 +10071,35 @@ int main(int argc, char *argv[])
 	applog(LOG_DEBUG, "pthread_cancel workaround in use");
 #endif
 
+#ifdef HAVE_PWD_H
+	struct passwd *user_info = NULL;
+	if (opt_setuid != NULL) {
+		if ((user_info = getpwnam(opt_setuid)) == NULL) {
+			quit(1, "Unable to find setuid user information");
+		}
+	}
+#endif
+
+#ifdef HAVE_CHROOT
+        if (chroot_dir != NULL) {
+#ifdef HAVE_PWD_H
+                if (user_info == NULL && getuid() == 0) {
+                        applog(LOG_WARNING, "Running as root inside chroot");
+                }
+#endif
+                if (chroot(chroot_dir) != 0) {
+                       quit(1, "Unable to chroot");
+                }
+        }
+#endif
+
+#ifdef HAVE_PWD_H
+		if (user_info != NULL) {
+			if (setgid((*user_info).pw_gid) == 0 && setuid((*user_info).pw_uid) != 0) {
+				quit(1, "Unable to setuid");
+			}
+		}
+#endif
 	raise_fd_limits();
 	
 	if (opt_benchmark) {