diff options
| author | Sean Whitton <spwhitton@spwhitton.name> | 2021-07-21 13:55:12 -0700 |
|---|---|---|
| committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-07-24 15:50:21 -0700 |
| commit | 07827bd9141d96ef89d05ba7f2596242ef0b6e27 (patch) | |
| tree | b5a0e7561143b869ec5bb7a41a349dac38a89a8f | |
| parent | eb33733e65326f771822f1f4b767f47382eb4914 (diff) | |
| download | consfigurator-07827bd9141d96ef89d05ba7f2596242ef0b6e27.tar.gz | |
:SETUID connection: also call initgroups(3)
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
(cherry picked from commit 052f5d522473f10fe46fd431b372de54f7a53e62)
| -rw-r--r-- | src/connection/setuid.lisp | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/connection/setuid.lisp b/src/connection/setuid.lisp index 9b7257f..32cd74c 100644 --- a/src/connection/setuid.lisp +++ b/src/connection/setuid.lisp @@ -26,6 +26,9 @@ #+sbcl (sb-posix:setgid gid) #-(or sbcl) (foreign-funcall "setgid" :unsigned-int uid :int)) +(defun initgroups (user gid) + (foreign-funcall "initgroups" :string user :unsigned-int gid :int)) + (defclass setuid-connection (rehome-connection fork-connection) ()) (defmethod establish-connection ((type (eql :setuid)) remaining &key to) @@ -59,14 +62,17 @@ (defmethod post-fork ((connection setuid-connection)) (let ((uid (connection-connattr connection :remote-uid)) - (gid (connection-connattr connection :remote-gid))) + (gid (connection-connattr connection :remote-gid)) + (user (connection-connattr connection :remote-user))) (run-program (list "chown" "-R" (format nil "~A:~A" uid gid) (unix-namestring (slot-value connection 'datadir)))) + ;; We are privileged, so this sets the real, effective and saved IDs. (unless (zerop (setgid gid)) (error "setgid(2) failed!")) + (unless (zerop (initgroups user gid)) + (error "initgroups(3) failed!")) (unless (zerop (setuid uid)) (error "setuid(2) failed!")) (posix-login-environment - (connection-connattr connection :remote-user) - (connection-connattr connection :remote-home)))) + user (connection-connattr connection :remote-home)))) |