[dovecot-cvs] dovecot/src/lib restrict-access.c,1.10,1.11 restrict-access.h,1.4,1.5

[cras at procontrol.fi]

Update of /home/cvs/dovecot/src/lib
In directory danu:/tmp/cvs-serv10925/src/lib

Modified Files:
	restrict-access.c restrict-access.h 
Log Message:
Allow first_valid_gid to be 0. Drop any supplementary groups not in valid
gid range.



Index: restrict-access.c
===================================================================
RCS file: /home/cvs/dovecot/src/lib/restrict-access.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- restrict-access.c	4 Mar 2003 04:00:13 -0000	1.10
+++ restrict-access.c	26 May 2003 15:26:29 -0000	1.11
@@ -30,8 +30,15 @@
 #include <time.h>
 #include <grp.h>
 
+#define HARD_MAX_GROUPS 10240
+
+#ifndef NGROUPS_MAX
+#  define NGROUPS_MAX 128
+#endif
+
 void restrict_access_set_env(const char *user, uid_t uid, gid_t gid,
-			     const char *chroot_dir)
+			     const char *chroot_dir,
+			     gid_t first_valid_gid, gid_t last_valid_gid)
 {
 	if (user != NULL && *user != '\0')
 		env_put(t_strconcat("RESTRICT_USER=", user, NULL));
@@ -40,33 +47,68 @@
 
 	env_put(t_strdup_printf("RESTRICT_SETUID=%s", dec2str(uid)));
 	env_put(t_strdup_printf("RESTRICT_SETGID=%s", dec2str(gid)));
+
+	if (first_valid_gid != 0) {
+		env_put(t_strdup_printf("RESTRICT_GID_FIRST=%s",
+					dec2str(first_valid_gid)));
+	}
+	if (last_valid_gid != 0) {
+		env_put(t_strdup_printf("RESTRICT_GID_LAST=%s",
+					dec2str(last_valid_gid)));
+	}
 }
 
-void restrict_access_by_env(int disallow_root)
+static void drop_restricted_groups(void)
 {
+	/* @UNSAFE */
 	const char *env;
-	gid_t gid;
-	uid_t uid;
+	gid_t *gid_list, first_valid_gid, last_valid_gid;
+	int ret, i, gid_count;
 
-	/* chrooting */
-	env = getenv("RESTRICT_CHROOT");
-	if (env != NULL) {
-		/* kludge: localtime() must be called before chroot(),
-		   or the timezone isn't known */
-		time_t t = 0;
-		(void)localtime(&t);
+	env = getenv("RESTRICT_GID_FIRST");
+	first_valid_gid = env == NULL ? 0 : (gid_t)atol(env);
+	env = getenv("RESTRICT_GID_LAST");
+	last_valid_gid = env == NULL ? 0 : (gid_t)atol(env);
 
-		if (chroot(env) != 0)
-			i_fatal("chroot(%s) failed: %m", env);
+	if (first_valid_gid == 0 && last_valid_gid == 0)
+		return;
 
-		if (chdir("/") != 0)
-			i_fatal("chdir(/) failed: %m");
+	gid_count = NGROUPS_MAX;
+	gid_list = t_buffer_get(sizeof(gid_t) * gid_count);
+	while ((ret = getgroups(gid_count, gid_list)) < 0) {
+		if (errno != EINVAL ||
+		    gid_count < HARD_MAX_GROUPS)
+			i_fatal("getgroups() failed: %m");
+
+		gid_count *= 2;
+		gid_list = t_buffer_reget(gid_list, sizeof(gid_t) * gid_count);
 	}
 
+	gid_count = 0;
+	for (i = 0; i < ret; i++) {
+		if (gid_list[i] >= first_valid_gid &&
+		    (last_valid_gid == 0 || gid_list[i] <= last_valid_gid))
+			gid_list[gid_count++] = gid_list[i];
+	}
+
+	if (ret != gid_count) {
+		/* it did contain 0, remove it */
+		if (setgroups(gid_count, gid_list) < 0)
+			i_fatal("setgroups() failed: %m");
+	}
+}
+
+void restrict_access_by_env(int disallow_root)
+{
+	const char *env;
+	gid_t gid;
+	uid_t uid;
+
 	/* groups - the getgid() checks are just so we don't fail if we're
-	   not running as root and try to just use our own GID. */
+	   not running as root and try to just use our own GID. Do this
+	   before chrooting so initgroups() actually works. */
 	env = getenv("RESTRICT_SETGID");
-	gid = env == NULL ? 0 : (gid_t) atol(env);
+	gid = env == NULL ? 0 : (gid_t)atol(env);
 	if (gid != 0 && (gid != getgid() || gid != getegid())) {
 		if (setgid(gid) != 0)
 			i_fatal("setgid(%s) failed: %m", dec2str(gid));
@@ -74,18 +116,38 @@
 		env = getenv("RESTRICT_USER");
 		if (env == NULL) {
 			/* user not known, use only this one group */
-			(void)setgroups(1, &gid);
+			if (setgroups(1, &gid) < 0) {
+				i_fatal("setgroups(%s) failed: %m",
+					dec2str(gid));
+			}
 		} else {
 			if (initgroups(env, gid) != 0) {
 				i_fatal("initgroups(%s, %s) failed: %m",
 					env, dec2str(gid));
 			}
+
+                        drop_restricted_groups();
 		}
 	}
 
+	/* chrooting */
+	env = getenv("RESTRICT_CHROOT");
+	if (env != NULL) {
+		/* kludge: localtime() must be called before chroot(),
+		   or the timezone isn't known */
+		time_t t = 0;
+		(void)localtime(&t);
+
+		if (chroot(env) != 0)
+			i_fatal("chroot(%s) failed: %m", env);
+
+		if (chdir("/") != 0)
+			i_fatal("chdir(/) failed: %m");
+	}
+
 	/* uid last */
 	env = getenv("RESTRICT_SETUID");
-	uid = env == NULL ? 0 : (uid_t) atol(env);
+	uid = env == NULL ? 0 : (uid_t)atol(env);
 	if (uid != 0) {
 		if (setuid(uid) != 0)
 			i_fatal("setuid(%s) failed: %m", dec2str(uid));

Index: restrict-access.h
===================================================================
RCS file: /home/cvs/dovecot/src/lib/restrict-access.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- restrict-access.h	4 Mar 2003 04:00:13 -0000	1.4
+++ restrict-access.h	26 May 2003 15:26:29 -0000	1.5
@@ -4,7 +4,8 @@
 /* set environment variables so they can be read with
    restrict_access_by_env() */
 void restrict_access_set_env(const char *user, uid_t uid, gid_t gid,
-			     const char *chroot_dir);
+			     const char *chroot_dir,
+			     gid_t first_valid_gid, gid_t last_valid_gid);
 
 /* chroot, setuid() and setgid() based on environment variables.
    If disallow_roots is TRUE, we'll kill ourself if we didn't have the