Re: pkg/40532: privoxy ignores user:group and has wheelpermissionsandso everyone accessing privoxy admin page

[Matthias Drochner <M.Drochner%fz-juelich.de@localhost>]

cemkayali%eticaret.com.tr@localhost said:
> > It is well possible that privoxy opens its config file
> > before changing its privileges. 

If a program opens a file descriptor before changing its
uig/gid, the file descriptor remains valid. But a "ktrace"
did show that this is not the case here.
The reason for the unexpected behaviour is that privoxy
changes its group but does not give up the supplementary
group memberships. Since "root" is member of "wheel" and
provoxy is started by "root" it runs with "wheel" permissions.
This is certainly a misfeature of "privoxy", if not
a serious bug.
Can you try the appended patch?

best regards
Matthias





-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

$NetBSD$

--- ./jcc.c.orig        2007-12-16 19:32:46.000000000 +0100
+++ ./jcc.c
@@ -3299,6 +3299,10 @@ int main(int argc, const char *argv[])
       {
          log_error(LOG_LEVEL_FATAL, "Cannot setgid(): Insufficient 
permissions.");
       }
+      if (grp)
+       setgroups(1, grp->gr_gid);
+      else
+       initgroups(pw->pw_name, pw->pw_gid);
       if (do_chroot)
       {
          if (!pw->pw_dir)