Permalink
Browse files

- lophttpd, frontend: fixing initgroups() call which must happen outs…

…ide chroot

  (the setgid() was ok, so it was at worst running with less suppl GIDs than
   assumed)
  • Loading branch information...
stealth committed Oct 8, 2013
1 parent 03fd8af commit a39de271a189c4cb4c32a3b0710513604df3d2a1
Showing with 11 additions and 4 deletions.
  1. +7 −2 frontend-main.cc
  2. +4 −2 main.cc
View
@@ -133,16 +133,21 @@ int main(int argc, char **argv)
die("prctl");
#endif
// Must happen before chroot()
if (initgroups(rproxy_config::user.c_str(), pw->pw_gid) < 0)
die("initgroups", euid == 0);
chdir("/");
if (chroot(rproxy_config::root.c_str()) < 0)
die("chroot", euid == 0);
if (setgid(pw->pw_gid) < 0)
die("setgid", euid == 0);
if (initgroups(rproxy_config::user.c_str(), pw->pw_gid) < 0)
die("initgroups", euid == 0);
if (setuid(pw->pw_uid) < 0)
die("setuid", euid == 0);
// Commented because not needed. Only for IP_TRANSPARENT support
// if it ever comes
#if 0
cap_t my_caps;
cap_value_t cv[2] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE};
View
@@ -307,6 +307,10 @@ int main(int argc, char **argv)
}
}
// Must happen before chroot()
if (initgroups(httpd_config::user.c_str(), httpd_config::user_gid) < 0)
die("initgroups", euid == 0);
if (chdir(httpd_config::root.c_str()) < 0)
die("chdir");
@@ -324,8 +328,6 @@ int main(int argc, char **argv)
if (setgid(httpd_config::user_gid) < 0)
die("setgid", euid == 0);
if (initgroups(httpd_config::user.c_str(), httpd_config::user_gid) < 0)
die("initgroups", euid == 0);
if (setuid(httpd_config::user_uid) < 0)
die("setuid", euid == 0);

0 comments on commit a39de27

Please sign in to comment.