This is an automated email from the ASF dual-hosted git repository.
eze pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new a0d49ddb44 Invoke initgroups() iff we got enough privileges (#11869)
(#11872)
a0d49ddb44 is described below
commit a0d49ddb44ea5e295c85d7d88a13e4978d6bc84b
Author: ValentÃn Gutiérrez <[email protected]>
AuthorDate: Thu Nov 21 03:54:03 2024 +0100
Invoke initgroups() iff we got enough privileges (#11869) (#11872)
Follow up of #11855, that rendered unusable ATS as root when spawned via
traffic_manager.
(cherry picked from commit d4dda9b5583d19e2eee268fec59aa487d61fc079)
---
src/tscore/ink_cap.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
index 8a95d4b132..6c6fe73a63 100644
--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
@@ -160,8 +160,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel
level)
#endif
// Always repopulate the supplementary group list for the new user.
- if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
- Fatal("switching to user %s, failed to initialize supplementary groups ID
%ld", pwd->pw_name, (long)pwd->pw_gid);
+ if (geteuid() == 0) { // check that we have enough rights to call
initgroups()
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+ Fatal("switching to user %s, failed to initialize supplementary groups
ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+ }
}
switch (level) {
