wrap initgroups() with swig

use initgroups in dropPrivileges() change spec and Makefile to package and install Sys::GRP module
SUSE · Mar 31, 2009 · 5d92d0a · 5d92d0a
1 parent defd0dd
commit 5d92d0a
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 23 deletions.
diff --git a/Makefile b/Makefile
@@ -7,6 +7,9 @@ SMT_SQLITE_DB = $(DESTDIR)/var/lib/SMT/db/smt.db
 TEMPF         = $(shell mktemp)
 DOCDIR        = /usr/share/doc/packages
 
+all:
+	make -C swig
+
 install_all: install install_conf install_db
 	@echo "==========================================================="
 	@echo "Append 'perl' to APACHE_MODULES an 'SSL' to APACHE_SERVER_FLAGS"
@@ -130,6 +133,7 @@ install:
 	install -m 644 doc/NCC-Client-Registration-via-YEP.odt $(DESTDIR)$(DOCDIR)/smt/
 	install -m 644 doc/Server-Tuning.txt $(DESTDIR)$(DOCDIR)/smt/
 	install -m 644 doc/SMT-Database-Schema.txt $(DESTDIR)$(DOCDIR)/smt/
+	make -C swig $@
 
 test: clean
 	cd tests; perl tests.pl && cd -
@@ -139,7 +143,7 @@ clean:
 	rm -rf tests/testdata/rpmmdtest/*
 	rm -rf $(NAME)-$(VERSION)/
 	rm -rf $(NAME)-$(VERSION).tar.bz2
-
+	make -C swig $@
 
 dist: clean
 	rm -rf $(NAME)-$(VERSION)/
@@ -188,6 +192,7 @@ dist: clean
                   -o \
                   \( -type f -exec install -m644 \{\} $(NAME)-$(VERSION)/\{\} \; \) \
                 \)
+	make -C swig NAME=$(NAME) VERSION=$(VERSION) $@
 	@cp Makefile README COPYING $(NAME)-$(VERSION)/
 	@rm $(NAME)-$(VERSION)/www/README
 

diff --git a/smt.spec b/smt.spec
@@ -19,7 +19,7 @@
 
 
 Name:           smt
-BuildRequires:  apache2 apache2-mod_perl
+BuildRequires:  apache2 apache2-mod_perl swig
 Version:        1.1.3
 Release:        0.2
 Requires:       perl = %{perl_version}
@@ -82,6 +82,7 @@ cp -p %{S:1} .
 # ---------------------------------------------------------------------------
 
 %build
+make
 mkdir man
 cd script
 for prog in smt*; do
@@ -141,6 +142,9 @@ exit 0
 %dir %{perl_vendorlib}/SMT/
 %dir %{perl_vendorlib}/SMT/Mirror
 %dir %{perl_vendorlib}/SMT/Parser
+%dir %{perl_vendorarch}/Sys
+%dir %{perl_vendorarch}/auto/Sys/
+%dir %{perl_vendorarch}/auto/Sys/GRP
 %dir /etc/smt.d
 %dir %attr(755, smt, www)/srv/www/htdocs/repo/
 %dir %attr(755, smt, www)/srv/www/htdocs/repo/tools
@@ -170,6 +174,8 @@ exit 0
 %{perl_vendorlib}/SMT/*.pm
 %{perl_vendorlib}/SMT/Mirror/*.pm
 %{perl_vendorlib}/SMT/Parser/*.pm
+%{perl_vendorarch}/Sys/*.pm
+%{perl_vendorarch}/auto/Sys/GRP/*.so
 /srv/www/perl-lib/NU/*.pm
 /srv/www/perl-lib/SMT/*.pm
 /usr/sbin/smt-*

diff --git a/swig/GRP.i b/swig/GRP.i
@@ -0,0 +1,8 @@
+%module "Sys::GRP"
+
+%{
+#include <grp.h>
+%}
+
+extern int initgroups (const char *user, unsigned int group);
+
diff --git a/swig/Makefile b/swig/Makefile
@@ -0,0 +1,52 @@
+PERL        ?= perl
+PERL_CC      = $(shell $(PERL) -MExtUtils::Embed -e ccopts)
+PERL_LD      = $(shell $(PERL) -MExtUtils::Embed -e ldopts)
+VENDOR_ARCH  = $(shell $(PERL) -MConfig -e 'print $$Config{installvendorarch};')
+
+INCLUDES     = $(PERL_CC)
+
+LIBS         = $(PERL_LD)
+
+CXXFLAGS    += -Wno-unused -fPIC -DPIC $(RPM_OPT_FLAGS)
+GCC          = gcc
+
+MNAME    = GRP
+
+all: $(MNAME).so
+
+clean:
+	rm -f *.o
+	rm -f $(MNAME).so
+	rm -f *.c
+	rm -f $(MNAME).pm
+	rm -fr auto Sys
+
+$(MNAME).so: $(MNAME)_wrap.o
+	$(GCC) -shared -o $(MNAME).so $< $(LDFLAGS) $(LIBS)
+	@if test ! -d Sys; then mkdir -p Sys ; fi
+	@if test ! -L Sys/$(MNAME).pm ; then \
+		ln -s ../$(MNAME).pm Sys/$(MNAME).pm ; \
+	fi
+	@if test ! -d auto/Sys/$(MNAME) ; then \
+		mkdir -p auto/Sys/$(MNAME) ; \
+	fi
+	@if test ! -L auto/Sys/$(MNAME)/$(MNAME).so ; then \
+		ln -s ../../../$(MNAME).so auto/Sys/$(MNAME)/$(MNAME).so ; \
+	fi
+
+$(MNAME)_wrap.o: $(MNAME)_wrap.c
+	$(GCC) $(CXXFLAGS) $(INCLUDES) -c $<
+
+$(MNAME)_wrap.c: $(MNAME).i
+	swig -perl5 -o $(MNAME)_wrap.c $<
+
+install: $(MNAME).so
+	mkdir -p $(DESTDIR)/$(VENDOR_ARCH)/auto/Sys/$(MNAME)
+	mkdir -p $(DESTDIR)/$(VENDOR_ARCH)/Sys/
+	install -m 644 $(MNAME).pm $(DESTDIR)/$(VENDOR_ARCH)/Sys/
+	install -m 755 $(MNAME).so $(DESTDIR)/$(VENDOR_ARCH)/auto/Sys/$(MNAME)
+
+dist:
+	@mkdir -p ../$(NAME)-$(VERSION)/swig
+	@cp Makefile ../$(NAME)-$(VERSION)/swig
+	@cp $(MNAME).i ../$(NAME)-$(VERSION)/swig
diff --git a/swig/ptest.pl b/swig/ptest.pl
@@ -0,0 +1,33 @@
+#! /usr/bin/perl -w
+
+BEGIN
+{
+	push @INC, ".";
+};
+
+use strict;
+use English;
+use Sys::GRP;
+use POSIX;
+use User::pwent;
+my $user = "tux";
+
+my $pw = getpwnam($user) || return 0;
+my $primgroup= $pw->gid();
+
+print "UID: $UID\n";
+print "EUID: $EUID\n";
+print "GID: $GID\n";
+print "EGID: $EGID\n";
+
+$GID = $primgroup;
+$EGID = $primgroup;
+my $ret = Sys::GRP::initgroups($user, $primgroup);
+print "RET: $ret \n";
+
+POSIX::setuid( $pw->uid() ) || return 0;
+
+print "UID: $UID\n";
+print "EUID: $EUID\n";
+print "GID: $GID\n";
+print "EGID: $EGID\n";
diff --git a/www/perl-lib/SMT/Utils.pm b/www/perl-lib/SMT/Utils.pm
@@ -14,6 +14,7 @@ use Net::SMTP;   # sending eMails via smtp relay
 use Locale::gettext ();
 use POSIX ();     # Needed for setlocale()
 use User::pwent;
+use Sys::GRP;
 
 POSIX::setlocale(&POSIX::LC_MESSAGES, "");
 
@@ -849,34 +850,17 @@ sub dropPrivileges
 
     my $pw = getpwnam($user) || return 0;
 
-    # Find all the groups the user is a member of
-    my @groups;
-    while (my ($name, $comment, $ggid, $mstr) = getgrent()) 
+    $GID  = $pw->gid(); # $GID only accepts a single number according to perlvar
+    $EGID = $pw->gid();
+    if( Sys::GRP::initgroups($user, $pw->gid()) != 0 )
     {
-        my %membership = map { $_ => 1 } split(/\s/, $mstr);
-        if(exists $membership{$user}) {
-            push(@groups, $ggid) if $ggid ne 0 and $ggid ne $pw->gid();
-        }
+        return 0;
     }
-    my $newgid = $pw->gid()." ".join(" ", sort { $a <=> $b} @groups);
-
-    $GID = $pw->gid(); # $GID only accepts a single number according to perlvar
-    $EGID = $pw->gid()." $newgid";
     POSIX::setuid( $pw->uid() ) || return 0;
 
     # test is euid is correct
     return 0 if( POSIX::geteuid() != $pw->uid() );
 
-    # Perl adds $gid two times to the list so it also gets set in posix groups
-    $newgid = join(" ", sort { $a <=> $b} @groups, $pw->gid(), $pw->gid());
-
-    # Sort the output so we can compare it
-    my $cgid = join(" ", sort { $a <=> $b } split(/\s/, $GID));
-    my $cegid = join(" ", sort { $a <=> $b } split(/\s/, $EGID));
-
-    # Check that we did actually drop the privileges
-    return 0 if($cgid ne $newgid or $cegid ne $newgid);
-
     $ENV{'HOME'} = $pw->dir();
     if( chdir( $pw->dir() ) )
     {