Skip to content
Permalink
Browse files

port1.0: Ensure adduser drops privs in all cases

adduser and addgroup (invoked by the add_users statement in
handle_add_users) elevates its privileges, but does not always drop them
again. Specifically, this could happen if a user or group already
existed, in which case adduser did elevate to root, but not drop back to
the macportsuser again.

This can cause files to be created with incorrect permissions, which can
then cause permissions problems in subsequent phases.

Closes: https://trac.macports.org/ticket/50918
(cherry picked from commit 9dbfd65)
  • Loading branch information
neverpanic committed Jun 19, 2020
1 parent cd583fe commit fcb9cd207563a64bdc841ac8f97b044fcbeb0e46
Showing with 19 additions and 6 deletions.
  1. +19 −6 src/port1.0/portutil.tcl
@@ -2302,9 +2302,6 @@ proc adduser {name args} {
ui_warn "adduser only works when running as root."
ui_warn "The requested user '$name' was not created."
return
} elseif {[geteuid] != 0} {
seteuid 0; setegid 0
set escalated 1
}

set passwd {*}
@@ -2325,6 +2322,11 @@ proc adduser {name args} {
return
}

if {[geteuid] != 0} {
seteuid 0; setegid 0
set escalated 1
}

if {${os.platform} eq "darwin"} {
set dscl [findBinary dscl $portutil::autoconf::dscl_path]
set failed? 0
@@ -2391,6 +2393,11 @@ proc adduser {name args} {
}
}

# drop privileges if they were escalated before
if {[info exists escalated]} {
dropPrivileges
}

# and raise an error to abort
error "dscl failed to create required user $name."
}
@@ -2413,9 +2420,6 @@ proc addgroup {name args} {
ui_warn "addgroup only works when running as root."
ui_warn "The requested group '$name' was not created."
return
} elseif {[geteuid] != 0} {
seteuid 0; setegid 0
set escalated 1
}

set gid [nextgid]
@@ -2434,6 +2438,11 @@ proc addgroup {name args} {
return
}

if {[geteuid] != 0} {
seteuid 0; setegid 0
set escalated 1
}

if {${os.platform} eq "darwin"} {
set dscl [findBinary dscl $portutil::autoconf::dscl_path]
set failed? 0
@@ -2490,6 +2499,10 @@ proc addgroup {name args} {
}
}

if {[info exists escalated]} {
dropPrivileges
}

# and raise an error to abort
error "dscl failed to create required group $name."
}

0 comments on commit fcb9cd2

Please sign in to comment.
You can’t perform that action at this time.