commit 33bbeabb40d11a59266e0702adaa6a2e0acb6382 Author: Neil Brown Date: Wed Nov 26 12:01:06 2008 -0500 Ensure statd gets started if required when non-root user mounts an NFS filesystem. The first time an NFS filesystem is mounted, we start statd from /sbin/mount.nfs. If this first time is a non-root user doing the mount, (thanks to e.g. the 'users' option in /etc/fstab) then we need to be sure that the 'setuid' status from mount.nfs is inherited through to rpc.statd so that it runs as root. There are two places where we loose our setuid status due to the shell (/bin/sh) discarding. 1/ mount.nfs uses "system" to run /usr/sbin/start-statd. This runs a shell which is likely to drop privileges. So change that code to use 'fork' and 'execl' explicitly. 2/ start-statd is a shell script. To convince the shell to allow the program to run in privileged mode, we need to add a "-p" flag. We could just call setuid(getuid()) at some appropriate time, and it might be worth doing that as well, however I think that getting rid of 'system()' is a good idea and once that is done, the adding of '-p' is trivial and sufficient. Signed-off-by: Neil Brown Signed-off-by: Steve Dickson diff --git a/utils/mount/network.c b/utils/mount/network.c index 2db694d..806344c 100644 --- a/utils/mount/network.c +++ b/utils/mount/network.c @@ -36,6 +36,7 @@ #include #include +#include #include #include #include @@ -705,7 +706,18 @@ int start_statd(void) #ifdef START_STATD if (stat(START_STATD, &stb) == 0) { if (S_ISREG(stb.st_mode) && (stb.st_mode & S_IXUSR)) { - system(START_STATD); + pid_t pid = fork(); + switch (pid) { + case 0: /* child */ + execl(START_STATD, START_STATD, NULL); + exit(1); + case -1: /* error */ + perror("Fork failed"); + break; + default: /* parent */ + waitpid(pid, NULL,0); + break; + } if (probe_statd()) return 1; } diff --git a/utils/statd/start-statd b/utils/statd/start-statd index 6e7ea04..c7805ee 100644 --- a/utils/statd/start-statd +++ b/utils/statd/start-statd @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -p # nfsmount calls this script when mounting a filesystem with locking # enabled, but when statd does not seem to be running (based on # /var/run/rpc.statd.pid).