dovecot-2.2-pigeonhole: lib-sieve: program client: Made sure sup...
pigeonhole at rename-it.nl
pigeonhole at rename-it.nl
Wed Dec 17 00:12:57 UTC 2014
details: http://hg.rename-it.nl/dovecot-2.2-pigeonhole/rev/e6087ee9a301
changeset: 1976:e6087ee9a301
user: Stephan Bosch <stephan at rename-it.nl>
date: Wed Dec 17 01:12:43 2014 +0100
description:
lib-sieve: program client: Made sure supplemental group privileges are also dropped.
diffstat:
src/lib-sieve/util/program-client-local.c | 35 ++++++++++++++----------------
1 files changed, 16 insertions(+), 19 deletions(-)
diffs (61 lines):
diff -r dbce56ea72cb -r e6087ee9a301 src/lib-sieve/util/program-client-local.c
--- a/src/lib-sieve/util/program-client-local.c Wed Dec 17 00:58:58 2014 +0100
+++ b/src/lib-sieve/util/program-client-local.c Wed Dec 17 01:12:43 2014 +0100
@@ -18,7 +18,7 @@
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
-
+#include <grp.h>
struct program_client_local {
struct program_client client;
@@ -186,33 +186,30 @@
if (seteuid(0) < 0)
i_fatal("seteuid(0) failed: %m");
- /* drop gid first */
+ /* drop gids first */
gid = getgid();
if ( gid == 0 || gid != pclient->set.gid ) {
- if ( pclient->set.gid != 0 ) {
- if ( setgid(pclient->set.gid) < 0 )
- i_fatal("setgid(%d) failed: %m", pclient->set.gid);
- } else {
+ if ( pclient->set.gid != 0 )
+ gid = pclient->set.gid;
+ else
gid = getegid();
- if (gid != 0 && setgid(gid) < 0) {
- i_fatal("setgid(%d) failed: %m", gid);
- }
- }
}
+ if ( setgroups(1, &gid) < 0 )
+ i_fatal("setgroups(%d) failed: %m", gid);
+ if ( gid != 0 && setgid(gid) < 0 )
+ i_fatal("setgid(%d) failed: %m", gid);
/* drop uid */
- if ( pclient->set.uid != 0 ) {
- if ( setuid(pclient->set.uid) )
- i_fatal("setuid(%d) failed: %m", pclient->set.uid);
- } else {
+ if ( pclient->set.uid != 0 )
+ uid = pclient->set.uid;
+ else
uid = geteuid();
- if ( uid != 0 && setuid(uid) < 0 )
- i_fatal("setuid(%d) failed: %m", uid);
- }
+ if ( uid != 0 && setuid(uid) < 0 )
+ i_fatal("setuid(%d) failed: %m", uid);
}
- i_assert(getuid() != 0);
- i_assert(getgid() != 0);
+ i_assert(pclient->set.uid == 0 || getuid() != 0);
+ i_assert(pclient->set.gid == 0 || getgid() != 0);
if ( array_is_created(&pclient->envs) )
envs = array_get(&pclient->envs, &count);
More information about the dovecot-cvs
mailing list