From 014d54e2353ea0b6968baf614685635da253c993 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 30 Jan 2013 21:56:36 +0100
Subject: [PATCH] chroot worker process

---
 src/main.c        | 15 +++++++++++----
 src/sample.config |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/main.c b/src/main.c
index 3f8a69b5..742d460a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -243,6 +243,15 @@ static void drop_privileges(struct cfg_st *config)
 {
 	int ret, e;
 
+	if (config->chroot_dir) {
+		ret = chroot(config->chroot_dir);
+		if (ret != 0) {
+			e = errno;
+			syslog(LOG_ERR, "Cannot chroot to %s: %s", config->chroot_dir, strerror(e));
+			exit(1);
+		}
+	}
+
 	if (config->gid != -1 && (getgid() == 0 || getegid() == 0)) {
 		ret = setgid(config->gid);
 		if (ret < 0) {
@@ -331,8 +340,6 @@ int main(int argc, char** argv)
 		fprintf(stderr, "Error in arguments\n");
 		exit(1);
 	}
-#warning read configuration from file
-
 	/* Listen to network ports */
 	ret = listen_ports(&config, &llist, config.name, config.port, SOCK_STREAM);
 	if (ret < 0) {
@@ -459,12 +466,12 @@ int main(int argc, char** argv)
 					exit(1);
 				}
 
-#warning chroot here?
 				pid = fork();
 				if (pid == 0) {	/* child */
-
+				
 					/* Drop privileges after this point */
 					drop_privileges(&config);
+
 					/* close any open descriptors before
 					 * running the server
 					 */
diff --git a/src/sample.config b/src/sample.config
index 2e9667f2..88901ab1 100644
--- a/src/sample.config
+++ b/src/sample.config
@@ -36,7 +36,7 @@ server-key = /home/nmav/cvs/ocserv/test.pem
 tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
 
 # The default server directory
-#chroot-dir = /path/to/chroot
+#chroot-dir = /root
 
 # Cookie validity time (in seconds)
 # Once a client is authenticated he's provided a cookie with