and hi, yet again,
On Sun, Nov 25, 2007 at 03:01:15PM +0100, Michael Ablassmeier wrote:
> On Sun, Nov 25, 2007 at 02:19:46PM +0100, Michael Ablassmeier wrote:
> > The agent uses popen in order to execute the UserCommands. I think popen
> > just
> > as exec* resets the gid to the saved-set-gid, which is then 0, thus the
> > executed programm ends up with gid set to root.
>
> just a short example of whats happening and how to reproduce this:
>
> > #include <sys/types.h>
> > #include <unistd.h>
> > #include <pwd.h>
> > #include <stdio.h>
> >
> > int main() {
> > struct passwd *pw;
> > pw = getpwnam("abi");
> > FILE *pipe;
> > char buf[25];
> > setgid(pw->pw_gid);
> > setuid(pw->pw_uid);
i think the solution here is to use initgroups, which does set the right group
settings, like:
setgid(..);
initgroups(..,..);
setuid(..);
[EMAIL PROTECTED]:~# ./a.out
my gid: 1000
my uid: 1000
uid=1000(abi) gid=1000(abi) groups=1000(abi)
[EMAIL PROTECTED]:~# ./a.out
my gid: 1000
my uid: 1000
cat: /tmp/file: Permission denied
[EMAIL PROTECTED]:~# ls -alh /tmp/file
-rw-r----- 1 root root 7 Nov 25 15:13 /tmp/file
so, i think the zabbix_agentd should use initgroups() in order to set its
group information, im going to forward this to upstream.
bye,
- michael
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
