Permalink
Browse files

Merge pull request #1198 from mind04/suppgroups

set group and supplementary groups before chroot
  • Loading branch information...
2 parents 726b301 + f1d6a7c commit 6ee50ce3db1889b9bac921bb6091c53f2872fcea @Habbie Habbie committed Jan 7, 2014
Showing with 20 additions and 7 deletions.
  1. +5 −2 pdns/common_startup.cc
  2. +3 −1 pdns/pdns_recursor.cc
  3. +7 −2 pdns/unix_utility.cc
  4. +5 −2 pdns/utility.hh
@@ -347,16 +347,19 @@ void mainthread()
if(!::arg()["chroot"].empty()) {
if(::arg().mustDo("master") || ::arg().mustDo("slave"))
gethostbyname("a.root-servers.net"); // this forces all lookup libraries to be loaded
+ Utility::dropGroupPrivs(newuid, newgid);
if(chroot(::arg()["chroot"].c_str())<0 || chdir("/")<0) {
L<<Logger::Error<<"Unable to chroot to '"+::arg()["chroot"]+"': "<<strerror(errno)<<", exiting"<<endl;
exit(1);
}
else
L<<Logger::Error<<"Chrooted to '"<<::arg()["chroot"]<<"'"<<endl;
- }
+ } else {
+ Utility::dropGroupPrivs(newuid, newgid);
+ }
StatWebServer sws;
- Utility::dropPrivs(newuid, newgid);
+ Utility::dropUserPrivs(newuid);
if(::arg().mustDo("recursor")){
DP=new DNSProxy(::arg()["recursor"]);
@@ -1830,14 +1830,16 @@ int serviceMain(int argc, char*argv[])
if(!::arg()["setuid"].empty())
newuid=Utility::makeUidNumeric(::arg()["setuid"]);
+ Utility::dropGroupPrivs(newuid, newgid);
+
if (!::arg()["chroot"].empty()) {
if (chroot(::arg()["chroot"].c_str())<0 || chdir("/") < 0) {
L<<Logger::Error<<"Unable to chroot to '"+::arg()["chroot"]+"': "<<strerror (errno)<<", exiting"<<endl;
exit(1);
}
}
- Utility::dropPrivs(newuid, newgid);
+ Utility::dropUserPrivs(newuid);
g_numThreads = ::arg().asNum("threads") + ::arg().mustDo("pdns-distributes-queries");
makeThreadPipes();
@@ -123,8 +123,8 @@ void Utility::usleep(unsigned long usec)
}
-// Drops the program's privileges.
-void Utility::dropPrivs( int uid, int gid )
+// Drops the program's group privileges.
+void Utility::dropGroupPrivs( int uid, int gid )
{
if(gid) {
if(setgid(gid)<0) {
@@ -148,7 +148,12 @@ void Utility::dropPrivs( int uid, int gid )
}
}
}
+}
+
+// Drops the program's user privileges.
+void Utility::dropUserPrivs( int uid )
+{
if(uid) {
if(setuid(uid)<0) {
theL()<<Logger::Critical<<"Unable to set effective user id to "<<uid<<": "<<stringerror()<<endl;
View
@@ -134,8 +134,11 @@ public:
//! Sets the random seed.
static void srandom( unsigned int seed );
- //! Drops the program's privileges.
- static void dropPrivs( int uid, int gid );
+ //! Drops the program's group privileges.
+ static void dropGroupPrivs( int uid, int gid );
+
+ //! Drops the program's user privileges.
+ static void dropUserPrivs( int uid );
//! Sets the socket into blocking mode.
static bool setBlocking( Utility::sock_t socket );

0 comments on commit 6ee50ce

Please sign in to comment.