More secure setgroups functions. (thanks muh) - skalibs - Mirror/fork of https://skarnet.org/software/skalibs/

commit 8b000a20cc367c727b9f2c0d8e68372d0c9df995
parent 61c1f79bcace61c650edd09fc4424c2d08fbf79e
Author: Laurent Bercot <ska-skaware@skarnet.org>
Date:   Sun, 16 Jul 2017 16:52:08 +0000

 More secure setgroups functions. (thanks muh)

Diffstat:
M AUTHORS  | 1 +
M package/deps.mak  | 2 +-
M src/include/skalibs/setgroups.h  | 1 +
M src/libstddjb/prot_grps.c  | 14 ++++++++++++--
M src/libstddjb/setgroups.c  | 8 ++++++--

5 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/AUTHORS b/AUTHORS
@@ -25,3 +25,4 @@ Thanks to:
   Roman I Khimov <khimov@altell.ru>
   Yannick Duchêne <yannick_duchene@yahoo.fr
   Martin Misuth <et.code@ethome.sk>
+  Michael Zuo <muh.muhten@gmail.com>
diff --git a/package/deps.mak b/package/deps.mak
@@ -430,7 +430,7 @@ src/libstddjb/pathexec_run.o src/libstddjb/pathexec_run.lo: src/libstddjb/pathex
 src/libstddjb/pipe_internal.o src/libstddjb/pipe_internal.lo: src/libstddjb/pipe_internal.c src/include/skalibs/djbunix.h src/include/skalibs/nonposix.h src/include/skalibs/sysdeps.h
 src/libstddjb/prog.o src/libstddjb/prog.lo: src/libstddjb/prog.c src/include/skalibs/strerr2.h
 src/libstddjb/prot.o src/libstddjb/prot.lo: src/libstddjb/prot.c src/include/skalibs/djbunix.h
-src/libstddjb/prot_grps.o src/libstddjb/prot_grps.lo: src/libstddjb/prot_grps.c src/include/skalibs/djbunix.h src/include/skalibs/nonposix.h src/include/skalibs/setgroups.h
+src/libstddjb/prot_grps.o src/libstddjb/prot_grps.lo: src/libstddjb/prot_grps.c src/include/skalibs/djbunix.h src/include/skalibs/setgroups.h
 src/libstddjb/prot_readgroups.o src/libstddjb/prot_readgroups.lo: src/libstddjb/prot_readgroups.c src/include/skalibs/djbunix.h
 src/libstddjb/rm_rf.o src/libstddjb/rm_rf.lo: src/libstddjb/rm_rf.c src/include/skalibs/djbunix.h src/include/skalibs/skamisc.h
 src/libstddjb/rm_rf_in_tmp.o src/libstddjb/rm_rf_in_tmp.lo: src/libstddjb/rm_rf_in_tmp.c src/include/skalibs/direntry.h src/include/skalibs/djbunix.h src/include/skalibs/stralloc.h
diff --git a/src/include/skalibs/setgroups.h b/src/include/skalibs/setgroups.h
@@ -9,6 +9,7 @@
 
 #include <unistd.h>
 
+extern int setgroups_and_gid (gid_t, size_t, gid_t const *) ;
 extern int setgroups_with_egid (size_t, gid_t const *) ;
 extern int skalibs_setgroups (size_t, gid_t const *) ;
 
diff --git a/src/libstddjb/prot_grps.c b/src/libstddjb/prot_grps.c
@@ -2,16 +2,26 @@
 
 /* MT-unsafe */
 
-#include <skalibs/nonposix.h>
 #include <unistd.h>
+#include <pwd.h>
 #include <grp.h>
 #include <limits.h>
+#include <errno.h>
 #include <skalibs/setgroups.h>
 #include <skalibs/djbunix.h>
 
 int prot_grps (char const *name)
 {
   gid_t tab[NGROUPS_MAX] ;
+  struct passwd *pw ;
   int n = prot_readgroups(name, tab, NGROUPS_MAX) ;
-  return n < 0 ? -1 : setgroups(n, tab) ;
+  if (n < 0) return n ;
+  errno = 0 ;
+  pw = getpwnam(name) ;
+  if (!pw)
+  {
+    if (!errno) errno = ENOENT ;
+    return -1 ;
+  }
+  return setgroups_and_gid(pw->pw_gid, n, tab) ;
 }
diff --git a/src/libstddjb/setgroups.c b/src/libstddjb/setgroups.c
@@ -10,10 +10,9 @@
 #include <grp.h>
 #include <skalibs/setgroups.h>
 
-int setgroups_with_egid (size_t n, gid_t const *tab)
+int setgroups_and_gid (gid_t g, size_t n, gid_t const *tab)
 {
   size_t i = 1 ;
-  gid_t g = getegid() ;
   if (!n) return setgroups(1, &g) ;
   if (tab[0] == g) return setgroups(n, tab) ;
   for (; i < n ; i++) if (tab[i] == g) break ;
@@ -34,6 +33,11 @@ int setgroups_with_egid (size_t n, gid_t const *tab)
   }
 }
 
+int setgroups_with_egid (size_t n, gid_t const *tab)
+{
+  return setgroups_and_gid(getegid(), n, tab) ;
+}
+
 int skalibs_setgroups (size_t n, gid_t const *tab)
 {
 #ifdef SKALIBS_BSD_SUCKS

	skalibs Mirror/fork of https://skarnet.org/software/skalibs/
	git clone https://ccx.te2000.cz/git/skalibs
	Log \| Files \| Refs \| README \| LICENSE

M	AUTHORS	\|	1	+
M	package/deps.mak	\|	2	+-
M	src/include/skalibs/setgroups.h	\|	1	+
M	src/libstddjb/prot_grps.c	\|	14	++++++++++++--
M	src/libstddjb/setgroups.c	\|	8	++++++--