[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Halevt-dev] Re: Bug#594161: No longer sets supplemental groups
From: |
Marcos Talau |
Subject: |
[Halevt-dev] Re: Bug#594161: No longer sets supplemental groups |
Date: |
Tue, 07 Sep 2010 18:08:54 -0300 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) |
Mike Kasick <address@hidden> writes:
>
> It appears that halevt does not setup supplemental groups (i.e., doesn't
> call initgroups) when changing ids to a non-root user. This means that the
> halevt daemon does not have permission to access files/devices owned by a
> group for which user "halevt" is a member, but are not owned by user
> "halevt" or group "plugdev" themselves.
>
Good point! :)
> As it turns out this bug is a regression. Although halevt itself never
> called initgroups, the Debian halevt init.d script in version 0.1.5-4 and
> below ran halevt as a non-root user via start-stop-daemon's -c and -g
> options, and thus the "change id" code in halevt itself was always
> bypassed.
>
> It's unclear from the changelog why the "change id" responsibility was
> shifted from start-stop-daemon to halevt. Personally I find the former to
> be strategic from a security perspective--that is, leave the privileged
> operations solely to a well trusted program (start-stop-daemon) since
> halevt itself does not need root privileges except to change users.
>
Hey, halevt cannot change to an user if it isn't executed by root.
> In any event, if the change to have halevt switch users itself is intended,
> then attached is a patch which adds the appropriate initgroups call to
> halevt. I've tested it, and it works well to fix the problem.
>
Your patch is OK, but it have a small problem. You cannot invoke
initgroups after changed the user. Patch corrected attached.
Thanks for your report and patch!
diff -urN a/src/manager.c b/src/manager.c
--- a/src/manager.c 2010-05-30 14:48:02.000000000 -0300
+++ b/src/manager.c 2010-09-07 18:01:04.000000000 -0300
@@ -326,6 +326,11 @@
exit(1);
}
gid = group_struct->gr_gid;
+ if (initgroups(user, gid) != 0)
+ {
+ DEBUG(_("Error setting initgroups for %s, %u: %s"), user, gid,
strerror(errno));
+ exit(1);
+ }
if (setgid(gid) != 0)
{
DEBUG(_("Error setting gid to %u: %s"), gid, strerror(errno));
pgpXpxO1RjnYg.pgp
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Halevt-dev] Re: Bug#594161: No longer sets supplemental groups,
Marcos Talau <=