diff options
| author | Jeff Layton <jlayton@samba.org> | 2017-02-13 08:33:02 -0500 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2017-02-14 18:44:37 -0500 |
| commit | a6662edb12b267e12bd67424e485ca081a97beb3 (patch) | |
| tree | 4f7d678341b4a7e9bb4b4b0639798d3afc000d3b | |
| parent | fb7693c50e99f2153500bb3590602993016051b4 (diff) | |
| download | cifs-utils-a6662edb12b267e12bd67424e485ca081a97beb3.tar.gz cifs-utils-a6662edb12b267e12bd67424e485ca081a97beb3.tar.bz2 cifs-utils-a6662edb12b267e12bd67424e485ca081a97beb3.zip | |
cifs.upcall: switch group IDs when handling an upcall
Currently, we leave the group ID alone, but in a later patch we'll be
changing cifs.upcall to scrape $KRB5CCNAME out of the originating
process. At that point, we want to be a little more careful with the
process credentials we'll be using.
After we get the uid, do a getpwuid and grab the default gid for the
user. Then use setgid to set it before calling setuid.
Signed-off-by: Jeff Layton <jlayton@samba.org>
| -rw-r--r-- | cifs.upcall.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/cifs.upcall.c b/cifs.upcall.c index 418b179..2b535a1 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -46,6 +46,8 @@ #include <netdb.h> #include <arpa/inet.h> #include <ctype.h> +#include <pwd.h> +#include <grp.h> #include "replace.h" #include "data_blob.h" @@ -694,6 +696,7 @@ int main(const int argc, char *const argv[]) uid_t uid; char *keytab_name = NULL; krb5_ccache ccache = NULL; + struct passwd *pw; hostbuf[0] = '\0'; memset(&arg, 0, sizeof(arg)); @@ -795,15 +798,49 @@ int main(const int argc, char *const argv[]) goto out; } + /* + * The kernel doesn't pass down the gid, so we resort here to scraping + * one out of the passwd nss db. Note that this might not reflect the + * actual gid of the process that initiated the upcall. While we could + * scrape that out of /proc, relying on that is a bit more risky. + */ + pw = getpwuid(uid); + if (!pw) { + syslog(LOG_ERR, "Unable to find pw entry for uid %d: %s\n", + uid, strerror(errno)); + rc = 1; + goto out; + } + + /* + * The kernel should send down a zero-length grouplist already, but + * just to be on the safe side... + */ + rc = setgroups(0, NULL); + if (rc == -1) { + syslog(LOG_ERR, "setgroups: %s", strerror(errno)); + rc = 1; + goto out; + } + + rc = setgid(pw->pw_gid); + if (rc == -1) { + syslog(LOG_ERR, "setgid: %s", strerror(errno)); + rc = 1; + goto out; + } + rc = setuid(uid); if (rc == -1) { syslog(LOG_ERR, "setuid: %s", strerror(errno)); + rc = 1; goto out; } rc = krb5_init_context(&context); if (rc) { syslog(LOG_ERR, "unable to init krb5 context: %ld", rc); + rc = 1; goto out; } |