From c336121fb5a5c1b9cb9b2cd4cea50f0788270505 Mon Sep 17 00:00:00 2001 From: Brian Wellington Date: Fri, 7 Jul 2000 23:53:35 +0000 Subject: [PATCH] Hopefully the last change to the setuid code. Only call initgroups() if getuid() == 0. Don't call ns_os_changeuser() more than once (it could happen on Linux). The code in its current form doesn't check for root before calling setgid() or setuid(), since they'll fail and print reasonable error messages (unless -u is supplied with the non-root user that ran named, in which case it would succeed). The call to initgroups() would fail for non root, so it shouldn't be tried. The previous (as of a few days ago) code just ignored the -u parameter when named was run as non-root. This was not good. --- bin/named/unix/os.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index dcae3d1f81..e9ae0584b6 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: os.c,v 1.24 2000/07/07 22:10:54 bwelling Exp $ */ +/* $Id: os.c,v 1.25 2000/07/07 23:53:35 bwelling Exp $ */ #include @@ -44,6 +44,7 @@ static isc_boolean_t non_root = ISC_FALSE; #endif static struct passwd *runas_pw = NULL; +static isc_boolean_t done_setuid = ISC_FALSE; #ifdef HAVE_LINUX_CAPABILITY_H @@ -263,7 +264,7 @@ ns_os_chroot(const char *root) { void ns_os_inituserinfo(const char *username) { - if (username == NULL || getuid() != 0) + if (username == NULL) return; if (all_digits(username)) @@ -278,17 +279,21 @@ ns_os_inituserinfo(const char *username) { void ns_os_changeuser(void) { - if (runas_pw == NULL) + if (runas_pw == NULL || done_setuid) return; + done_setuid = ISC_TRUE; + #ifdef HAVE_LINUXTHREADS if (!non_root_caps) ns_main_earlyfatal( "-u not supported on Linux kernels older than 2.3.99-pre3"); #endif - if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) - ns_main_earlyfatal("initgroups(): %s", strerror(errno)); + if (getuid() == 0) { + if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) + ns_main_earlyfatal("initgroups(): %s", strerror(errno)); + } if (setgid(runas_pw->pw_gid) < 0) ns_main_earlyfatal("setgid(): %s", strerror(errno));