mirror of
https://tildegit.org/solderpunk/molly-brown
synced 2024-05-12 03:46:03 +02:00
Restore documented setuid behaviour.
This commit is contained in:
parent
f63fcdb6d1
commit
75c283fc74
|
@ -53,7 +53,7 @@ func getUserInfo(config Config) (userInfo, error) {
|
||||||
}
|
}
|
||||||
ui.need_drop = ui.is_setuid || ui.is_setgid || ui.root_user || ui.root_prim_group || ui.root_supp_group
|
ui.need_drop = ui.is_setuid || ui.is_setgid || ui.root_user || ui.root_prim_group || ui.root_supp_group
|
||||||
|
|
||||||
if ui.need_drop {
|
if ui.root_user || ui.root_prim_group {
|
||||||
nobody_user, err := user.Lookup(config.UnprivUsername)
|
nobody_user, err := user.Lookup(config.UnprivUsername)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("Running as root but could not lookup UID for user " + config.UnprivUsername + ": " + err.Error())
|
log.Println("Running as root but could not lookup UID for user " + config.UnprivUsername + ": " + err.Error())
|
||||||
|
@ -77,28 +77,42 @@ func DropPrivs(ui userInfo) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Drop supplementary groups
|
// Drop supplementary groups
|
||||||
if ui.root_supp_group {
|
err := syscall.Setgroups([]int{})
|
||||||
err := syscall.Setgroups([]int{})
|
if err != nil {
|
||||||
if err != nil {
|
// Log failure
|
||||||
log.Println("Could not unset supplementary groups: " + err.Error())
|
log.Println("Could not unset supplementary groups: " + err.Error())
|
||||||
|
// Make this fatal if root was amongst supplementary groups
|
||||||
|
if ui.root_supp_group {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Setguid()
|
// Setgid()
|
||||||
if ui.root_prim_group {
|
if ui.root_prim_group || ui.is_setgid {
|
||||||
err := syscall.Setgid(ui.unpriv_gid)
|
var target_gid int
|
||||||
|
if ui.root_prim_group {
|
||||||
|
target_gid = ui.unpriv_gid
|
||||||
|
} else {
|
||||||
|
target_gid = ui.gid
|
||||||
|
}
|
||||||
|
err := syscall.Setgid(target_gid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("Could not setgid to " + strconv.Itoa(ui.unpriv_gid) + ": " + err.Error())
|
log.Println("Could not setgid to " + strconv.Itoa(target_gid) + ": " + err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Setuid()
|
// Setuid()
|
||||||
if ui.root_user {
|
if ui.root_user || ui.is_setuid {
|
||||||
err := syscall.Setuid(ui.unpriv_uid)
|
var target_uid int
|
||||||
|
if ui.root_user {
|
||||||
|
target_uid = ui.unpriv_uid
|
||||||
|
} else {
|
||||||
|
target_uid = ui.uid
|
||||||
|
}
|
||||||
|
err := syscall.Setuid(target_uid)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("Could not setuid to " + strconv.Itoa(ui.unpriv_uid) + ": " + err.Error())
|
log.Println("Could not setuid to " + strconv.Itoa(target_uid) + ": " + err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue