Skip to content
This repository has been archived by the owner on May 4, 2018. It is now read-only.

unix: call setgoups before calling setuid/setgid #1105

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions src/unix/process.c
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,20 @@ static void uv__process_child_init(const uv_process_options_t* options,
_exit(127);
}

if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
/* When dropping privileges from root, the `setgroups` call will
* remove any extraneous groups. If we don't call this, then
* even though our uid has dropped, we may still have groups
* that enable us to do super-user things. This will fail if we
* aren't root, so don't bother checking the return value, this
* is just done as an optimistic privilege dropping function.
*/
int saved_errno;
saved_errno = errno;
setgroups(0, NULL);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps, clear errno?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean restore.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it, but we don't check for it unless any of the remaining function calls fail, so does it matter much? Or is it just good practice? I could just set errno to 0 if setgroups fails.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better just restore it, yeah it is just for the sake of style.

errno = saved_errno;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be shortened to SAVE_ERRNO(setgroups(0, NULL)) but apart from that LGTM.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Ben, will fix.
On Feb 10, 2014 6:55 PM, "Ben Noordhuis" notifications@github.com wrote:

In src/unix/process.c:

@@ -330,6 +330,20 @@ static void uv__process_child_init(const uv_process_options_t* options,
_exit(127);
}

  • if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
  • /* When dropping privileges from root, the setgroups call will
  • \* remove any extraneous groups. If we don't call this, then
    
  • \* even though our uid has dropped, we may still have groups
    
  • \* that enable us to do super-user things. This will fail if we
    
  • \* aren't root, so don't bother checking the return value, this
    
  • \* is just done as an optimistic privilege dropping function.
    
  • */
    
  • int saved_errno;
  • saved_errno = errno;
  • setgroups(0, NULL);
  • errno = saved_errno;

Can be shortened to SAVE_ERRNO(setgroups(0, NULL)) but apart from that
LGTM.


Reply to this email directly or view it on GitHubhttps://github.com//pull/1105/files#r9593936
.

}

if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) {
uv__write_int(error_fd, -errno);
perror("setgid()");
Expand Down