lib: privs: make uid/gid accessible before setuid

author David Lamparter <equinox@opensourcerouting.org>

Thu, 1 Jun 2017 16:33:08 +0000 (18:33 +0200)

committer David Lamparter <equinox@opensourcerouting.org>

Wed, 2 Aug 2017 21:36:39 +0000 (23:36 +0200)
author David Lamparter <equinox@opensourcerouting.org>
Thu, 1 Jun 2017 16:33:08 +0000 (18:33 +0200)
committer David Lamparter <equinox@opensourcerouting.org>
Wed, 2 Aug 2017 21:36:39 +0000 (23:36 +0200)
diff --git a/ldpd/lde.c b/ldpd/lde.c

index 77643ff48bbad3ca037925dcd020cfe35faa7309..6c74c20125553e584326c0dd9f0a1d465174fc07 100644 (file)
--- a/ldpd/lde.c
+++ b/ldpd/lde.c
@@ -164,6 +164,7 @@ lde_init(struct ldpd_init *init)
         /* drop privileges */
         lde_privs.user = init->user;
         lde_privs.group = init->group;
+       zprivs_preinit(&lde_privs);
         zprivs_init(&lde_privs);
  
         /* start the LIB garbage collector */
diff --git a/ldpd/ldpe.c b/ldpd/ldpe.c

index b2f9fdce55797e848b6fd6815c76fdae902d790e..1c0a8bdc84fd83d14d87646ea524984ce9c5907b 100644 (file)
--- a/ldpd/ldpe.c
+++ b/ldpd/ldpe.c
@@ -142,6 +142,7 @@ ldpe_init(struct ldpd_init *init)
         /* drop privileges */
         ldpe_privs.user = init->user;
         ldpe_privs.group = init->group;
+       zprivs_preinit(&ldpe_privs);
         zprivs_init(&ldpe_privs);
  
         /* listen on ldpd control socket */
diff --git a/lib/libfrr.c b/lib/libfrr.c

index d168d830535d78643fc5d4d80aba5517e46e8985..e0bba297e04cdde12ef39ae7c60ad33c05dd3f8b 100644 (file)
--- a/lib/libfrr.c
+++ b/lib/libfrr.c
@@ -347,6 +347,8 @@ struct thread_master *frr_init(void)
                 snprintf(frr_protonameinst, sizeof(frr_protonameinst), "%s[%u]",
                          di->logname, di->instance);
  
+       zprivs_preinit(di->privs);
+
         openzlog(di->progname, di->logname, di->instance,
                  LOG_CONS | LOG_NDELAY | LOG_PID, LOG_DAEMON);
  #if defined(HAVE_CUMULUS)
diff --git a/lib/privs.c b/lib/privs.c

index c971596117f1b810600af31667115270f7a89b9c..eda3fb02d4c0b72a7ea33b6504210107e256b9ea 100644 (file)
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -696,13 +696,10 @@ static int getgrouplist(const char *user, gid_t group, gid_t *groups,
  }
  #endif /* HAVE_GETGROUPLIST */
  
-void zprivs_init(struct zebra_privs_t *zprivs)
+void zprivs_preinit(struct zebra_privs_t *zprivs)
  {
         struct passwd *pwentry = NULL;
         struct group *grentry = NULL;
-       gid_t groups[NGROUPS_MAX];
-       int i, ngroups = 0;
-       int found = 0;
  
         if (!zprivs) {
                 fprintf(stderr, "zprivs_init: called with NULL arg!\n");
@@ -751,6 +748,18 @@ void zprivs_init(struct zebra_privs_t *zprivs)
  
                 zprivs_state.zgid = grentry->gr_gid;
         }
+}
+
+void zprivs_init(struct zebra_privs_t *zprivs)
+{
+       gid_t groups[NGROUPS_MAX];
+       int i, ngroups = 0;
+       int found = 0;
+
+       /* NULL privs */
+       if (!(zprivs->user || zprivs->group || zprivs->cap_num_p
+             || zprivs->cap_num_i))
+               return;
  
         if (zprivs->user) {
                 ngroups = sizeof(groups);
diff --git a/lib/privs.h b/lib/privs.h

index c18fe78add19ec62529452b0357a399a5c458a33..7fe59328b214fc57f4239644f863fbf4bace0d16 100644 (file)
--- a/lib/privs.h
+++ b/lib/privs.h
@@ -74,6 +74,7 @@ struct zprivs_ids_t {
  };
  
  /* initialise zebra privileges */
+extern void zprivs_preinit(struct zebra_privs_t *zprivs);
  extern void zprivs_init(struct zebra_privs_t *zprivs);
  /* drop all and terminate privileges */
  extern void zprivs_terminate(struct zebra_privs_t *);
diff --git a/ospfclient/ospfclient.c b/ospfclient/ospfclient.c

index 5713105f4250371184e9e986695567a74651128d..03b543a78644751207477de42240b2fd3f1c3682 100644 (file)
--- a/ospfclient/ospfclient.c
+++ b/ospfclient/ospfclient.c
@@ -307,6 +307,7 @@ int main(int argc, char *argv[])
         }
  
         /* Initialization */
+       zprivs_preinit(&ospfd_privs);
         zprivs_init(&ospfd_privs);
         master = thread_master_create(NULL);
  
diff --git a/tests/lib/test_privs.c b/tests/lib/test_privs.c

index c2cb5c2ea5afdcbea07cf6a53f2fccbcee8364d2..1984f28e635d2a7dab84f15932cfaf2b38c44c3d 100644 (file)
--- a/tests/lib/test_privs.c
+++ b/tests/lib/test_privs.c
@@ -108,6 +108,7 @@ int main(int argc, char **argv)
  
         /* Library inits. */
         memory_init();
+       zprivs_preinit(&test_privs);
         zprivs_init(&test_privs);
  
  #define PRIV_STATE()                                                           \
author	David Lamparter <equinox@opensourcerouting.org>
	Thu, 1 Jun 2017 16:33:08 +0000 (18:33 +0200)
committer	David Lamparter <equinox@opensourcerouting.org>
	Wed, 2 Aug 2017 21:36:39 +0000 (23:36 +0200)
ldpd/lde.c		patch \| blob \| history
ldpd/ldpe.c		patch \| blob \| history
lib/libfrr.c		patch \| blob \| history
lib/privs.c		patch \| blob \| history
lib/privs.h		patch \| blob \| history
ospfclient/ospfclient.c		patch \| blob \| history
tests/lib/test_privs.c		patch \| blob \| history