[dovecot-cvs] dovecot/src/lib restrict-access.c,1.21,1.22

tss at dovecot.org tss at dovecot.org
Sun Dec 3 15:45:13 UTC 2006


Update of /var/lib/cvs/dovecot/src/lib
In directory talvi:/tmp/cvs-serv4027

Modified Files:
	restrict-access.c 
Log Message:
restrict_gid_first/last wasn't working correctly for non-primary groups.
Also restrict_gid_first=0 caused failures if user had 0 in non-primary
groups.



Index: restrict-access.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/lib/restrict-access.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -d -r1.21 -r1.22
--- restrict-access.c	13 Jan 2006 20:26:01 -0000	1.21
+++ restrict-access.c	3 Dec 2006 15:45:10 -0000	1.22
@@ -53,7 +53,7 @@
 	return gid_list;
 }
 
-static void drop_restricted_groups(void)
+static void drop_restricted_groups(bool *have_root_group)
 {
 	/* @UNSAFE */
 	const char *env;
@@ -73,13 +73,16 @@
 
 	for (i = 0, used = 0; i < gid_count; i++) {
 		if (gid_list[i] >= first_valid_gid &&
-		    (last_valid_gid == 0 || gid_list[i] <= last_valid_gid))
+		    (last_valid_gid == 0 || gid_list[i] <= last_valid_gid)) {
+			if (gid_list[i] == 0)
+				*have_root_group = TRUE;
 			gid_list[used++] = gid_list[i];
+		}
 	}
 
 	if (used != gid_count) {
 		/* it did contain restricted groups, remove it */
-		if (setgroups(gid_count, gid_list) < 0)
+		if (setgroups(used, gid_list) < 0)
 			i_fatal("setgroups() failed: %m");
 	}
 	t_pop();
@@ -127,12 +130,14 @@
 	const char *env;
 	gid_t gid;
 	uid_t uid;
+	bool have_root_group;
 
 	/* groups - the getgid() checks are just so we don't fail if we're
 	   not running as root and try to just use our own GID. Do this
 	   before chrooting so initgroups() actually works. */
 	env = getenv("RESTRICT_SETGID");
 	gid = env == NULL ? 0 : (gid_t)strtoul(env, NULL, 10);
+	have_root_group = gid == 0;
 	if (gid != 0 && (gid != getgid() || gid != getegid())) {
 		if (setgid(gid) != 0)
 			i_fatal("setgid(%s) failed: %m", dec2str(gid));
@@ -150,7 +155,7 @@
 					env, dec2str(gid));
 			}
 
-                        drop_restricted_groups();
+                        drop_restricted_groups(&have_root_group);
 		}
 	}
 
@@ -192,7 +197,7 @@
 	}
 
 	env = getenv("RESTRICT_GID_FIRST");
-	if ((gid != 0 || (env != NULL && atoi(env) != 0)) && uid != 0) {
+	if ((!have_root_group || (env != NULL && atoi(env) != 0)) && uid != 0) {
 		if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
 			if (gid == 0)
 				i_fatal("GID 0 isn't permitted");



More information about the dovecot-cvs mailing list