dovecot-2.0: restrict_access(): Show uid/gid source in setuid()/...
dovecot at dovecot.org
dovecot at dovecot.org
Mon Feb 7 22:37:49 EET 2011
details: http://hg.dovecot.org/dovecot-2.0/rev/cb2c008ae3e8
changeset: 12586:cb2c008ae3e8
user: Timo Sirainen <tss at iki.fi>
date: Mon Feb 07 22:37:19 2011 +0200
description:
restrict_access(): Show uid/gid source in setuid()/setgid() failure messages if given.
diffstat:
src/lib/restrict-access.c | 42 ++++++++++++++++++++++++++++--------------
src/lib/restrict-access.h | 4 ++++
2 files changed, 32 insertions(+), 14 deletions(-)
diffs (97 lines):
diff -r c34d871a7bb6 -r cb2c008ae3e8 src/lib/restrict-access.c
--- a/src/lib/restrict-access.c Fri Feb 04 19:48:29 2011 +0200
+++ b/src/lib/restrict-access.c Mon Feb 07 22:37:19 2011 +0200
@@ -6,6 +6,7 @@
#include <unistd.h>
#include "lib.h"
+#include "str.h"
#include "restrict-access.h"
#include "env-util.h"
@@ -61,24 +62,31 @@
return ret;
}
-static void restrict_init_groups(gid_t primary_gid, gid_t privileged_gid)
+static void restrict_init_groups(gid_t primary_gid, gid_t privileged_gid,
+ const char *gid_source)
{
+ string_t *str;
+
if (privileged_gid == (gid_t)-1) {
if (primary_gid == getgid() && primary_gid == getegid()) {
/* everything is already set */
return;
}
- if (setgid(primary_gid) != 0) {
- i_fatal("setgid(%s) failed with "
- "euid=%s, gid=%s, egid=%s: %m "
- "(This binary should probably be called with "
- "process group set to %s instead of %s)",
- get_gid_str(primary_gid), get_uid_str(geteuid()),
- get_gid_str(getgid()), get_gid_str(getegid()),
- get_gid_str(primary_gid), get_gid_str(getegid()));
- }
- return;
+ if (setgid(primary_gid) == 0)
+ return;
+
+ str = t_str_new(128);
+ str_printfa(str, "setgid(%s", get_gid_str(primary_gid));
+ if (gid_source != NULL)
+ str_printfa(str, " from %s", gid_source);
+ str_printfa(str, ") failed with euid=%s, gid=%s, egid=%s: %m "
+ "(This binary should probably be called with "
+ "process group set to %s instead of %s)",
+ get_uid_str(geteuid()),
+ get_gid_str(getgid()), get_gid_str(getegid()),
+ get_gid_str(primary_gid), get_gid_str(getegid()));
+ i_fatal("%s", str_c(str));
}
if (getegid() != 0 && primary_gid == getgid() &&
@@ -245,7 +253,7 @@
if (process_primary_gid == (gid_t)-1)
process_primary_gid = getegid();
restrict_init_groups(process_primary_gid,
- process_privileged_gid);
+ process_privileged_gid, set->gid_source);
} else {
if (process_primary_gid == (gid_t)-1)
process_primary_gid = getegid();
@@ -295,11 +303,17 @@
/* uid last */
if (set->uid != (uid_t)-1) {
if (setuid(set->uid) != 0) {
- i_fatal("setuid(%s) failed with euid=%s: %m "
+ string_t *str = t_str_new(128);
+
+ str_printfa(str, "setuid(%s", get_uid_str(set->uid));
+ if (set->uid_source != NULL)
+ str_printfa(str, " from %s", set->uid_source);
+ str_printfa(str, ") failed with euid=%s: %m "
"(This binary should probably be called with "
"process user set to %s instead of %s)",
- get_uid_str(set->uid), get_uid_str(geteuid()),
+ get_uid_str(geteuid()),
get_uid_str(set->uid), get_uid_str(geteuid()));
+ i_fatal("%s", str_c(str));
}
}
diff -r c34d871a7bb6 -r cb2c008ae3e8 src/lib/restrict-access.h
--- a/src/lib/restrict-access.h Fri Feb 04 19:48:29 2011 +0200
+++ b/src/lib/restrict-access.h Mon Feb 07 22:37:19 2011 +0200
@@ -19,6 +19,10 @@
group user contains other GIDs, they're silently dropped. */
gid_t first_valid_gid, last_valid_gid;
+ /* Human readable "source" of UID and GID values. If non-NULL,
+ displayed on error messages about failing to change uid/gid. */
+ const char *uid_source, *gid_source;
+
/* Chroot directory */
const char *chroot_dir;
};
More information about the dovecot-cvs
mailing list