Subject: bin/18936: syslogd should call initgroups()
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 11/05/2002 03:32:29
>Number:         18936
>Category:       bin
>Synopsis:       syslogd should call initgroups()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 04 18:33:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6J
>Organization:
       
>Environment:
NetBSD localhost 1.6J NetBSD 1.6J (UNICRON) #5: Mon Oct 28 17:05:26 CET
2002     root@localhost:/usr/src/sys/arch/i386/compile/UNICRON i386

>Description:
/usr/sbin/syslogd should call initgroups() before set{e,}{g,u}gid() like
almost(?) any other daemon to get rid of unnecessary rights.

>How-To-Repeat:

>Fix:
See my patch for a suggestion.


--Multipart_Tue__5_Nov_2002_03:32:29_+0100_08170e00
Content-Type: text/plain;
 name="syslogd.c.udif"
Content-Disposition: attachment;
 filename="syslogd.c.udif"
Content-Transfer-Encoding: 7bit

Index: syslogd.c
===================================================================
RCS file: /cvsroot/basesrc/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.56
diff -u -r1.56 syslogd.c
--- syslogd.c	2002/09/24 13:53:54	1.56
+++ syslogd.c	2002/11/05 02:16:24
@@ -308,7 +308,19 @@
 				die (0);
 			}
 		}
+	} else {
+		if ((pw = getpwuid(getuid())) != NULL) {
+			if ((user = strdup(pw->pw_name)) == NULL) {
+				logerror("Could not allocate user");
+			 	die (0);
+			}
+		} else {
+			errno = 0;  
+			logerror("Cannot find UID `%d'", getuid());
+			die (0);
+		}
 	}
+	
 
 	if (group != NULL) {
 		if (isdigit((unsigned char)*group)) {
@@ -429,6 +441,12 @@
 	dprintf("Attempt to chroot to `%s'\n", root);  
 	if (chroot(root)) {
 		logerror("Failed to chroot to `%s'", root);
+		die(0);
+	}
+	dprintf("Attempt to initgroups for `%s' with GID `%d'\n", user, gid);  
+	if (initgroups(user, gid)) {
+		logerror("Failed to initgroups for `%s' with GID `%d'", user, 
+			gid);
 		die(0);
 	}
 	dprintf("Attempt to set GID/EGID to `%d'\n", gid);  

--Multipart_Tue__5_Nov_2002_03:32:29_+0100_08170e00--
>Release-Note:
>Audit-Trail:
>Unformatted:
 This is a multi-part message in MIME format.
 
 --Multipart_Tue__5_Nov_2002_03:32:29_+0100_08170e00
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit