and hi, yet again, On Sun, Nov 25, 2007 at 03:01:15PM +0100, Michael Ablassmeier wrote: > On Sun, Nov 25, 2007 at 02:19:46PM +0100, Michael Ablassmeier wrote: > > The agent uses popen in order to execute the UserCommands. I think popen > > just > > as exec* resets the gid to the saved-set-gid, which is then 0, thus the > > executed programm ends up with gid set to root. > > just a short example of whats happening and how to reproduce this: > > > #include <sys/types.h> > > #include <unistd.h> > > #include <pwd.h> > > #include <stdio.h> > > > > int main() { > > struct passwd *pw; > > pw = getpwnam("abi"); > > FILE *pipe; > > char buf[25]; > > setgid(pw->pw_gid); > > setuid(pw->pw_uid);
i think the solution here is to use initgroups, which does set the right group settings, like: setgid(..); initgroups(..,..); setuid(..); [EMAIL PROTECTED]:~# ./a.out my gid: 1000 my uid: 1000 uid=1000(abi) gid=1000(abi) groups=1000(abi) [EMAIL PROTECTED]:~# ./a.out my gid: 1000 my uid: 1000 cat: /tmp/file: Permission denied [EMAIL PROTECTED]:~# ls -alh /tmp/file -rw-r----- 1 root root 7 Nov 25 15:13 /tmp/file so, i think the zabbix_agentd should use initgroups() in order to set its group information, im going to forward this to upstream. bye, - michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]