69 lines
1.9 KiB
Diff
69 lines
1.9 KiB
Diff
From 3cac85a3f97d0a22270166f428209f873b58c319 Mon Sep 17 00:00:00 2001
|
|
From: Chris Leech <cleech@redhat.com>
|
|
Date: Tue, 11 Jun 2013 11:25:27 -0700
|
|
Subject: [PATCH] iscsid: fix order of setting uid/gid and drop supplementary
|
|
groups
|
|
|
|
If using the user and group ID settings together the existing order of
|
|
calling setuid first will almost always cause the setgid call to fail,
|
|
assuming the new effective user id does not have the CAP_SETGID
|
|
capability. The effective group ID needs to change first.
|
|
|
|
While we're at it, if iscsid is started as root it should drop any
|
|
inherited supplementary group permissions.
|
|
|
|
And if anyone is actually using this to try and isolate capabilities,
|
|
they probably care enough to want to known that it is failing. Make
|
|
iscsid startup fail instead of just calling perror.
|
|
|
|
Signed-off-by: Chris Leech <cleech@redhat.com>
|
|
---
|
|
usr/iscsid.c | 23 +++++++++++++++++++----
|
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/usr/iscsid.c b/usr/iscsid.c
|
|
index b4bb65b..c0ea6fa 100644
|
|
--- a/usr/iscsid.c
|
|
+++ b/usr/iscsid.c
|
|
@@ -27,6 +27,7 @@
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
#include <signal.h>
|
|
+#include <grp.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/utsname.h>
|
|
#include <sys/types.h>
|
|
@@ -477,11 +478,25 @@ int main(int argc, char *argv[])
|
|
}
|
|
}
|
|
|
|
- if (uid && setuid(uid) < 0)
|
|
- perror("setuid\n");
|
|
+ if (gid && setgid(gid) < 0) {
|
|
+ log_error("Unable to setgid to %d\n", gid);
|
|
+ log_close(log_pid);
|
|
+ exit(ISCSI_ERR);
|
|
+ }
|
|
|
|
- if (gid && setgid(gid) < 0)
|
|
- perror("setgid\n");
|
|
+ if ((geteuid() == 0) && (getgroups(0, NULL))) {
|
|
+ if (setgroups(0, NULL) != 0) {
|
|
+ log_error("Unable to drop supplementary group ids\n");
|
|
+ log_close(log_pid);
|
|
+ exit(ISCSI_ERR);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (uid && setuid(uid) < 0) {
|
|
+ log_error("Unable to setuid to %d\n", uid);
|
|
+ log_close(log_pid);
|
|
+ exit(ISCSI_ERR);
|
|
+ }
|
|
|
|
memset(&daemon_config, 0, sizeof (daemon_config));
|
|
daemon_config.pid_file = pid_file;
|
|
--
|
|
1.8.1.4
|
|
|