Merge pull request #1198 from mind04/suppgroups

Habbie · Habbie · commit 6ee50ce3db18 · 2014-01-07T10:26:57.000-08:00
set group and supplementary groups before chroot
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
@@ -347,16 +347,19 @@ void mainthread()
    if(!::arg()["chroot"].empty()) {  
      if(::arg().mustDo("master") || ::arg().mustDo("slave"))
         gethostbyname("a.root-servers.net"); // this forces all lookup libraries to be loaded
+     Utility::dropGroupPrivs(newuid, newgid);
      if(chroot(::arg()["chroot"].c_str())<0 || chdir("/")<0) {
        L<<Logger::Error<<"Unable to chroot to '"+::arg()["chroot"]+"': "<<strerror(errno)<<", exiting"<<endl; 
        exit(1);
      }   
      else
        L<<Logger::Error<<"Chrooted to '"<<::arg()["chroot"]<<"'"<<endl;      
-   }  
+   } else {
+     Utility::dropGroupPrivs(newuid, newgid);
+   }
 
   StatWebServer sws;
-  Utility::dropPrivs(newuid, newgid);
+  Utility::dropUserPrivs(newuid);
 
   if(::arg().mustDo("recursor")){
     DP=new DNSProxy(::arg()["recursor"]);
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
@@ -1830,14 +1830,16 @@ int serviceMain(int argc, char*argv[])
   if(!::arg()["setuid"].empty())
     newuid=Utility::makeUidNumeric(::arg()["setuid"]);
 
+  Utility::dropGroupPrivs(newuid, newgid);
+
   if (!::arg()["chroot"].empty()) {
     if (chroot(::arg()["chroot"].c_str())<0 || chdir("/") < 0) {
       L<<Logger::Error<<"Unable to chroot to '"+::arg()["chroot"]+"': "<<strerror (errno)<<", exiting"<<endl;
       exit(1);
     }
   }
 
-  Utility::dropPrivs(newuid, newgid);
+  Utility::dropUserPrivs(newuid);
   g_numThreads = ::arg().asNum("threads") + ::arg().mustDo("pdns-distributes-queries");
   
   makeThreadPipes();
diff --git a/pdns/unix_utility.cc b/pdns/unix_utility.cc
@@ -123,8 +123,8 @@ void Utility::usleep(unsigned long usec)
 }
 
 
-// Drops the program's privileges.
-void Utility::dropPrivs( int uid, int gid )
+// Drops the program's group privileges.
+void Utility::dropGroupPrivs( int uid, int gid )
 {
   if(gid) {
     if(setgid(gid)<0) {
@@ -148,7 +148,12 @@ void Utility::dropPrivs( int uid, int gid )
       }
     }
   }
+}
+
 
+// Drops the program's user privileges.
+void Utility::dropUserPrivs( int uid )
+{
   if(uid) {
     if(setuid(uid)<0) {
       theL()<<Logger::Critical<<"Unable to set effective user id to "<<uid<<":  "<<stringerror()<<endl;
diff --git a/pdns/utility.hh b/pdns/utility.hh
@@ -134,8 +134,11 @@ public:
   //! Sets the random seed.
   static void srandom( unsigned int seed );
 
-  //! Drops the program's privileges.
-  static void dropPrivs( int uid, int gid );
+  //! Drops the program's group privileges.
+  static void dropGroupPrivs( int uid, int gid );
+
+  //! Drops the program's user privileges.
+  static void dropUserPrivs( int uid );
   
   //! Sets the socket into blocking mode.
   static bool setBlocking( Utility::sock_t socket );

Original file line number	Diff line number	Diff line change
`@@ -123,8 +123,8 @@ void Utility::usleep(unsigned long usec)`
`123`	`123`	`}`
`124`	`124`
`125`	`125`
`126`		`-// Drops the program's privileges.`
`127`		`-void Utility::dropPrivs( int uid, int gid )`
	`126`	`+// Drops the program's group privileges.`
	`127`	`+void Utility::dropGroupPrivs( int uid, int gid )`
`128`	`128`	`{`
`129`	`129`	`if(gid) {`
`130`	`130`	`if(setgid(gid)<0) {`
`@@ -148,7 +148,12 @@ void Utility::dropPrivs( int uid, int gid )`
`148`	`148`	`}`
`149`	`149`	`}`
`150`	`150`	`}`
	`151`	`+}`
	`152`	`+`
`151`	`153`
	`154`	`+// Drops the program's user privileges.`
	`155`	`+void Utility::dropUserPrivs( int uid )`
	`156`	`+{`
`152`	`157`	`if(uid) {`
`153`	`158`	`if(setuid(uid)<0) {`
`154`	`159`	`theL()<<Logger::Critical<<"Unable to set effective user id to "<<uid<<": "<<stringerror()<<endl;`