Repository: trafficserver Updated Branches: refs/heads/master 7f1e8b3fd -> 15fee84b6
TS-3358: expand the definition of a privileged management API caller To preserve backwards compatibility, redefine privileged management API callers as root (uid 0), or the management user (ie/ the user traffic_manager is running as). Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/15fee84b Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/15fee84b Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/15fee84b Branch: refs/heads/master Commit: 15fee84b62972befa7e66ee681d10b0b3acfe45d Parents: 7f1e8b3 Author: James Peach <[email protected]> Authored: Wed Feb 25 08:45:33 2015 -0800 Committer: James Peach <[email protected]> Committed: Wed Feb 25 08:50:37 2015 -0800 ---------------------------------------------------------------------- mgmt/api/EventControlMain.cc | 4 ++-- mgmt/api/TSControlMain.cc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/15fee84b/mgmt/api/EventControlMain.cc ---------------------------------------------------------------------- diff --git a/mgmt/api/EventControlMain.cc b/mgmt/api/EventControlMain.cc index be717d6..fe0b508 100644 --- a/mgmt/api/EventControlMain.cc +++ b/mgmt/api/EventControlMain.cc @@ -563,8 +563,8 @@ handle_event_message(EventClientT * client, void * req, size_t reqlen) gid_t egid = -1; // For now, all event messages require privilege. This is compatible with earlier - // versions of Traffic Server that - if (mgmt_get_peereid(client->fd, &euid, &egid) == -1 || euid != 0) { + // versions of Traffic Server that always required privilege. + if (mgmt_get_peereid(client->fd, &euid, &egid) == -1 || (euid != 0 && euid != geteuid())) { return TS_ERR_PERMISSION_DENIED; } } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/15fee84b/mgmt/api/TSControlMain.cc ---------------------------------------------------------------------- diff --git a/mgmt/api/TSControlMain.cc b/mgmt/api/TSControlMain.cc index 2120e3e..9eff803 100644 --- a/mgmt/api/TSControlMain.cc +++ b/mgmt/api/TSControlMain.cc @@ -1024,9 +1024,9 @@ handle_control_message(int fd, void * req, size_t reqlen) uid_t euid = -1; gid_t egid = -1; - // For privileged calls, ensure we have caller credentials and that the caller is root. + // For privileged calls, ensure we have caller credentials and that the caller is privileged. if (handlers[optype].flags & MGMT_API_PRIVILEGED) { - if (mgmt_get_peereid(fd, &euid, &egid) == -1 || euid != 0) { + if (mgmt_get_peereid(fd, &euid, &egid) == -1 || (euid != 0 && euid != geteuid())) { Debug("ts_main", "denied privileged API access on fd=%d for uid=%d gid=%d", fd, euid, egid); return send_mgmt_error(fd, optype, TS_ERR_PERMISSION_DENIED); }
