894576 fix order of setuid/setgid and drop additional groups

0063-fix-order-of-setting-uid-gid-and-drop-supplementary-.patch

@@ -0,0 +1,68 @@
+From 3cac85a3f97d0a22270166f428209f873b58c319 Mon Sep 17 00:00:00 2001
+From: Chris Leech <cleech@redhat.com>
+Date: Tue, 11 Jun 2013 11:25:27 -0700
+Subject: [PATCH] iscsid: fix order of setting uid/gid and drop supplementary
+ groups
+
+If using the user and group ID settings together the existing order of
+calling setuid first will almost always cause the setgid call to fail,
+assuming the new effective user id does not have the CAP_SETGID
+capability.  The effective group ID needs to change first.
+
+While we're at it, if iscsid is started as root it should drop any
+inherited supplementary group permissions.
+
+And if anyone is actually using this to try and isolate capabilities,
+they probably care enough to want to known that it is failing.  Make
+iscsid startup fail instead of just calling perror.
+
+Signed-off-by: Chris Leech <cleech@redhat.com>
+---
+ usr/iscsid.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/usr/iscsid.c b/usr/iscsid.c
+index b4bb65b..c0ea6fa 100644
+--- a/usr/iscsid.c
++++ b/usr/iscsid.c
+@@ -27,6 +27,7 @@
+ #include <unistd.h>
+ #include <string.h>
+ #include <signal.h>
++#include <grp.h>
+ #include <sys/mman.h>
+ #include <sys/utsname.h>
+ #include <sys/types.h>
+@@ -477,11 +478,25 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (uid && setuid(uid) < 0)
+-		perror("setuid\n");
++	if (gid && setgid(gid) < 0) {
++		log_error("Unable to setgid to %d\n", gid);
++		log_close(log_pid);
++		exit(ISCSI_ERR);
++	}
+ 
+-	if (gid && setgid(gid) < 0)
+-		perror("setgid\n");
++	if ((geteuid() == 0) && (getgroups(0, NULL))) {
++		if (setgroups(0, NULL) != 0) {
++			log_error("Unable to drop supplementary group ids\n");
++			log_close(log_pid);
++			exit(ISCSI_ERR);
++		}
++	}
++
++	if (uid && setuid(uid) < 0) {
++		log_error("Unable to setuid to %d\n", uid);
++		log_close(log_pid);
++		exit(ISCSI_ERR);
++	}
+ 
+ 	memset(&daemon_config, 0, sizeof (daemon_config));
+ 	daemon_config.pid_file = pid_file;
+-- 
+1.8.1.4
+

iscsi-initiator-utils.spec

@@ -43,6 +43,7 @@ Patch59: 0059-iscsiuio-systemd-unit-files.patch
 Patch60: 0060-use-systemctl-to-start-iscsid.patch
 Patch61: 0061-resolve-565245-multilib-issues-caused-by-doxygen.patch
 Patch62: 0062-Don-t-check-for-autostart-sessions-if-iscsi-is-not-u.patch
+Patch63: 0063-fix-order-of-setting-uid-gid-and-drop-supplementary-.patch
 # iscsiuio patches
 Patch71: 0071-iscsiuio-0.7.4.3.patch
 Patch72: 0072-iscsiuio-0.7.6.1.patch
@@ -112,6 +113,7 @@ mv iscsiuio-%{iscsiuio_version} iscsiuio
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
+%patch63 -p1
 # iscsiuio patches
 cd iscsiuio
 %patch71 -p1
@@ -274,6 +276,7 @@ fi
 * Tue Jun 11 2013 Chris Leech <cleech@redhat.com> - 6.2.0.873-7
 - Use the systemd tmpfiles service to recreate lockfiles in /var/lock
 - 955167 build as a position independent executable
+- 894576 fix order of setuid/setgid and drop additional groups
 
 * Tue May 28 2013 Chris Leech <cleech@redhat.com> - 6.2.0.873-6
 - Don't have iscsiadm scan for autostart record if node db is empty (bug #951951)