aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authortruckman <truckman@FreeBSD.org>2000-06-21 19:10:41 +0800
committertruckman <truckman@FreeBSD.org>2000-06-21 19:10:41 +0800
commitc3f1cd7c1be77083ecc991c7a7f2178d2de2ae12 (patch)
tree73eba8753833929fb060da0e6a7def7f6e23d0a7 /security
parent5a9563cfa76b7c1d6f9c235b1041182ad52e3b29 (diff)
downloadfreebsd-ports-gnome-c3f1cd7c1be77083ecc991c7a7f2178d2de2ae12.tar.gz
freebsd-ports-gnome-c3f1cd7c1be77083ecc991c7a7f2178d2de2ae12.tar.zst
freebsd-ports-gnome-c3f1cd7c1be77083ecc991c7a7f2178d2de2ae12.zip
Initialize supplementary groups.
Ensure that a LOG_NOTICE syslog is always generated when the program is invoked generated when the program is invoked an obvious error. Submitted by: Phil Pennock <phil@globnix.org>
Diffstat (limited to 'security')
-rw-r--r--security/chrootuid/files/patch-ac137
-rw-r--r--security/chrootuid/files/patch-ad11
2 files changed, 148 insertions, 0 deletions
diff --git a/security/chrootuid/files/patch-ac b/security/chrootuid/files/patch-ac
new file mode 100644
index 000000000000..46421c8f859a
--- /dev/null
+++ b/security/chrootuid/files/patch-ac
@@ -0,0 +1,137 @@
+Message #30124 (162 lines)
+From phil@globnix.org Fri Mar 31 01:56:37 2000
+Date: Fri, 31 Mar 2000 11:56:07 +0200
+From: Phil Pennock <phil@globnix.org>
+To: truckman@FreeBSD.org, wietse@PORCUPINE.ORG
+Subject: chrootuid patch for *BSD
+Organisation: Organisation? Here? No, over there ---->
+X-NIC-Handles: COCO-149560 (ignore PP8185)
+X-Disclaimer: Any views expressed in this message, where not explicitly
+ attributed otherwise, are mine and mine alone. Such views
+ do not necessarily coincide with those of any organisation
+ or company with which I am or have been affiliated.
+X-Phase-of-Moon: The Moon is Waning Crescent (20% of Full)
+X-No-HTML: <!-- TINC
+
+
+--ikeVEW9yuYc//A+q
+Content-Type: text/plain; charset=us-ascii
+
+This has been tested on FreeBSD, and tries to make things simple. The
+'problem' with chrootuid as stands (version 1.2) is that it does not
+initialise supplementary groups.
+
+The attached patch adds this functionality. To use properly under BSD,
+add -DUSE_SYSCTL to the cc command-line - I've tested with and without
+that option. Wietse, sorry for changing the declaration of main() - I'm
+an ANSI-C type person and since I was making the other changes anyway I
+decided that I might as well.
+
+Oh, and the patch also ensures that a LOG_NOTICE syslog is always
+generated when the program is invoked with enough parameters to not be
+an obvious error.
+
+HTH
+--
+HTML email - just say no --> Phil Pennock
+"We've got a patent on the conquering of a country through the use of force.
+ We believe in world peace through extortionate license fees." -Bluemeat
+
+--ikeVEW9yuYc//A+q
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: attachment; filename="chrootuid.patch"
+
+--- chrootuid.c.orig Fri Mar 31 10:56:38 2000
++++ chrootuid.c Fri Mar 31 11:47:31 2000
+@@ -34,6 +34,7 @@
+ /* VERSION/RELEASE
+ /* 1.2
+ /*--*/
++/* MODIFIED FROM ORIGINAL SOURCE! <phil@globnix.org> */
+
+ #ifndef lint
+ static char sccsid[] = "@(#) chrootuid.c 1.2 93/08/15 22:19:27";
+@@ -41,14 +42,25 @@
+
+ /* System libraries. */
+
++#include <stdlib.h>
+ #include <pwd.h>
+ #include <syslog.h>
++#include <sys/param.h>
++#ifdef USE_SYSCTL
++# include <sys/types.h>
++# include <sys/sysctl.h>
++#else
++# ifndef NGROUPS
++# define NGROUPS 16
++# endif
++#endif
+
+-main(argc, argv)
+-int argc;
+-char **argv;
++int
++main(int argc, char *argv[])
+ {
+ struct passwd *pwd;
++ int *groups;
++ int ngroups;
+
+ /*
+ * Open a channel to the syslog daemon. Older versions of openlog()
+@@ -71,6 +83,10 @@
+ syslog(LOG_ERR, "usage: %s path user command", argv[0]);
+ return (0);
+ }
++
++ syslog(LOG_NOTICE, "chrootuid: dir(%s) user(%s) command(%s)",
++ argv[1], argv[2], argv[3]);
++
+ /* Must step into the new subtree. */
+
+ if (chdir(argv[1])) {
+@@ -83,6 +99,30 @@
+ syslog(LOG_ERR, "%s: user unknown", argv[2]);
+ return (0);
+ }
++#ifdef USE_SYSCTL
++ {
++ int mib[2];
++ size_t len;
++
++ mib[0] = CTL_KERN;
++ mib[1] = KERN_NGROUPS;
++ len = sizeof(ngroups);
++ if (sysctl(mib, 2, &ngroups, &len, NULL, 0)) {
++ syslog(LOG_ERR, "failed to get kern.ngroups: %m");
++ return (0);
++ }
++ }
++#else
++ ngroups = NGROUPS;
++#endif
++ if (!(groups = calloc(ngroups, sizeof(int)))) {
++ syslog(LOG_ERR, "failed to allocate memory: %m");
++ return (0);
++ }
++ if (getgrouplist(argv[2], pwd->pw_gid, groups, &ngroups) == -1) {
++ syslog(LOG_WARNING, "failed to get all groups for user '%s': %m",
++ argv[2]);
++ }
+ /* Do the chroot() before giving away root privileges. */
+
+ if (chroot(argv[1])) {
+@@ -94,6 +134,9 @@
+ if (setgid(pwd->pw_gid)) {
+ syslog(LOG_ERR, "setgid(%d): %m", pwd->pw_gid);
+ return (0);
++ }
++ if (setgroups(ngroups, (const gid_t *)groups)) {
++ syslog(LOG_WARNING, "setgroups failed: %m");
+ }
+ if (setuid(pwd->pw_uid)) {
+ syslog(LOG_ERR, "setuid(%d): %m", pwd->pw_uid);
+
+--ikeVEW9yuYc//A+q--
+
diff --git a/security/chrootuid/files/patch-ad b/security/chrootuid/files/patch-ad
new file mode 100644
index 000000000000..f1e08ba02f6e
--- /dev/null
+++ b/security/chrootuid/files/patch-ad
@@ -0,0 +1,11 @@
+--- Makefile.orig Wed Jun 21 03:47:29 2000
++++ Makefile Wed Jun 21 03:48:17 2000
+@@ -6,7 +6,7 @@
+ all: chrootuid chrootuid.1
+
+ chrootuid: chrootuid.c
+- $(CC) $(CFLAGS) -o $@ $?
++ $(CC) $(CFLAGS) -DUSE_SYSCTL -o $@ $?
+
+ #chrootuid.1: chrootuid.c
+ # srctoman $? >$@