From 80fa6c037aafa09055a5ecde773d1dfdd914cb06 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Thu, 5 Feb 2009 11:12:01 +0000 Subject: [PATCH] call initgroups. git-svn-id: file:///svn/unbound/trunk@1453 be551aaa-1e26-0410-a405-d3ace91eadb9 --- config.h.in | 6 ++++++ configure | 6 ++++-- configure.ac | 4 ++-- daemon/unbound.c | 8 ++++++++ doc/Changelog | 2 ++ 5 files changed, 22 insertions(+), 4 deletions(-) diff --git a/config.h.in b/config.h.in index 956224da7..aa7ce2d23 100644 --- a/config.h.in +++ b/config.h.in @@ -85,6 +85,9 @@ /* Define to 1 if you have the `gmtime_r' function. */ #undef HAVE_GMTIME_R +/* Define to 1 if you have the header file. */ +#undef HAVE_GRP_H + /* If you have HMAC_CTX_init */ #undef HAVE_HMAC_CTX_INIT @@ -97,6 +100,9 @@ /* Define to 1 if you have the `inet_pton' function. */ #undef HAVE_INET_PTON +/* Define to 1 if you have the `initgroups' function. */ +#undef HAVE_INITGROUPS + /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H diff --git a/configure b/configure index a823b0b2c..0b1f96aef 100755 --- a/configure +++ b/configure @@ -19961,7 +19961,8 @@ fi -for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h + +for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_header" >&5 @@ -25282,7 +25283,8 @@ fi -for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob + +for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` { echo "$as_me:$LINENO: checking for $ac_func" >&5 diff --git a/configure.ac b/configure.ac index bd000bc3f..48a4385e8 100644 --- a/configure.ac +++ b/configure.ac @@ -480,7 +480,7 @@ AC_PROG_LIBTOOL # Checks for header files. AC_HEADER_STDC -AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h],,, [AC_INCLUDES_DEFAULT]) # check for types AC_CHECK_TYPE(int8_t, char) @@ -854,7 +854,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES if test $ac_cv_func_getaddrinfo = no; then AC_LIBOBJ([fake-rfc2553]) fi -AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob]) +AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups]) # check if setreuid en setregid fail, on MacOSX10.4(darwin8). if echo $build_os | grep darwin8 > /dev/null; then diff --git a/daemon/unbound.c b/daemon/unbound.c index 09767a45b..6c5fb6f28 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -56,6 +56,9 @@ #ifdef HAVE_PWD_H #include #endif +#ifdef HAVE_GRP_H +#include +#endif #ifdef HAVE_SYS_RESOURCE_H #include @@ -451,6 +454,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, /* drop permissions after chroot, getpwnam, pidfile, syslog done*/ #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { +#ifdef HAVE_INITGROUPS + if(initgroups(cfg->username, gid) != 0) + log_warn("unable to initgroups %s: %s", + cfg->username, strerror(errno)); +#endif #ifdef HAVE_SETRESGID if(setresgid(gid,gid,gid) != 0) #elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID) diff --git a/doc/Changelog b/doc/Changelog index 483ecee2a..5ea311b47 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -9,6 +9,8 @@ ub_cancel tries to return an error code. Fixes race condition in ub_cancel() libunbound function. - MacOSX Leopard cleaner text output from configure. + - initgroups(3) is called to drop secondary group permissions, if + applicable. 4 February 2009: Wouter - tag for release 1.2.1.