Bug#534508: daemontools: setuidgid should initialize the supplementary groups
On Thu, May 29, 2014 at 01:14:12PM +0200, Carlos Alberto Lopez Perez wrote: Hi, This bite me recently. I'm attaching a debdiff with the patch from Huaqing, which I tested and verified to work as expected. I also updated the manpage. Could you upload this please? If you don't have time I can do an NMU (if you think the attached debdiff is OK) Hi, I don't agree with this change, as I actually want to keep daemontools in Debian as close to upstream as possible. There are alternatives you can use, like runit, perp, s6, ... HTH, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534508: daemontools: setuidgid should initialize the supplementary groups
Hi, This bite me recently. I'm attaching a debdiff with the patch from Huaqing, which I tested and verified to work as expected. I also updated the manpage. Could you upload this please? If you don't have time I can do an NMU (if you think the attached debdiff is OK) Thanks! diff -u daemontools-0.76/debian/changelog daemontools-0.76/debian/changelog --- daemontools-0.76/debian/changelog +++ daemontools-0.76/debian/changelog @@ -1,3 +1,11 @@ +daemontools (1:0.76-3.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Apply patch for setuidgid to initialize the supplementary groups and +update manpage (Closes: #534508) + + -- Carlos Alberto Lopez Perez clo...@igalia.com Thu, 29 May 2014 11:59:03 +0200 + daemontools (1:0.76-3) unstable; urgency=low * debian/daemontools-run.postinst: don't exec into the kill program, so diff -u daemontools-0.76/debian/daemontools-man/setuidgid.8 daemontools-0.76/debian/daemontools-man/setuidgid.8 --- daemontools-0.76/debian/daemontools-man/setuidgid.8 +++ daemontools-0.76/debian/daemontools-man/setuidgid.8 @@ -14,7 +14,7 @@ .B setuidgid sets its uid and gid to .IR account 's -uid and gid, removing all supplementary groups. It then runs +uid and gid (including all supplementary groups of the user). It then runs .IR child . .B setuidgid @@ -23,7 +23,7 @@ .B setuidgid exits 111 if it cannot find a UNIX account named .IB account , -if it cannot setgid, if it cannot setuid, or if it cannot run +if it cannot setgid, if it cannot setuid, if it cannot initialize the supplementary groups of the user, or if it cannot run .IR child . Otherwise its exit code is the same as that of .IR child . only in patch2: unchanged: --- daemontools-0.76.orig/debian/diff/0003-setuidgid-should-initialize-the-supplementary-groups.diff +++ daemontools-0.76/debian/diff/0003-setuidgid-should-initialize-the-supplementary-groups.diff @@ -0,0 +1,27 @@ +From: Huaqing Zheng morph...@stanford.edu +Date: Wed, 24 Jun 2009 16:19:16 -0700 +Subject: [PATCH] setuidgid should initialize the supplementary groups + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534508 +--- + daemontools-0.76/src/setuidgid.c | 4 + 1 file changed, 4 insertions(+) + +diff --git a/daemontools-0.76/src/setuidgid.c b/daemontools-0.76/src/setuidgid.c +index 8c683de..b75d799 100644 +--- a/daemontools-0.76/src/setuidgid.c b/daemontools-0.76/src/setuidgid.c +@@ -21,6 +21,10 @@ int main(int argc,const char *const *argv,const char *const *envp) + + if (prot_gid(pw-pw_gid) == -1) + strerr_die2sys(111,FATAL,unable to setgid: ); ++ ++ if (initgroups(pw-pw_name, pw-pw_gid)) ++strerr_die2sys(111,FATAL,unable to initgroup: ); ++ + if (prot_uid(pw-pw_uid) == -1) + strerr_die2sys(111,FATAL,unable to setuid: ); + +-- +2.0.0.rc2 + signature.asc Description: OpenPGP digital signature
Bug#534508: daemontools: setuidgid should initialize the supplementary groups
Hello, Huaqing Zheng morph...@stanford.edu wrote: It would be really nice if setuidgid would initialize supplementary group access list. You may be interested in dropto(8), which is essentially setuidgid(8) with supplementary groups, as suggested by you. We decided not to alter the established interface of setuidgid, hence the new program. dropto also uses the GNU build system instead of the daemontools one. The man page is at [1] and the source code is at [2]. [1] http://users.ox.ac.uk/~tom/dropto/dropto.8 [2] http://users.ox.ac.uk/~tom/source/dropto/dropto-0.3.1.tar.gz -- Tom Jones, Systems Development and Support Section Computing Services, University of Oxford -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534508: daemontools: setuidgid should initialize the supplementary groups
Package: daemontools Version: 1:0.76-3 Severity: wishlist Tags: patch It would be really nice if setuidgid would initialize supplementary group access list. --- src/setuidgid.c 2006-03-23 14:30:53.0 -0800 +++ src/setuidgid.c2006-03-23 14:31:36.0 -0800 @@ -21,6 +21,10 @@ if (prot_gid(pw-pw_gid) == -1) strerr_die2sys(111,FATAL,unable to setgid: ); + + if (initgroups(pw-pw_name, pw-pw_gid)) +strerr_die2sys(111,FATAL,unable to initgroup: ); + if (prot_uid(pw-pw_uid) == -1) strerr_die2sys(111,FATAL,unable to setuid: ); -- System Information: Debian Release: squeeze/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/bash Versions of packages daemontools depends on: ii libc6 2.9-16 GNU C Library: Shared libraries daemontools recommends no packages. Versions of packages daemontools suggests: pn daemontools-run | runit none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org