[PATCH] iscsid: fix order of setting uid/gid and drop supplementary groups

Tue, 11 Jun 2013 15:52:16 -0700 

If using the user and group ID settings together the existing order of
calling setuid first will almost always cause the setgid call to fail,
assuming the new effective user id does not have the CAP_SETGID
capability.  The effective group ID needs to change first.

While we're at it, if iscsid is started as root it should drop any
inherited supplementary group permissions.

And if anyone is actually using this to try and isolate capabilities,
they probably care enough to want to known that it is failing.  Make
iscsid startup fail instead of just calling perror.

Signed-off-by: Chris Leech <cle...@redhat.com>
---
 usr/iscsid.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/usr/iscsid.c b/usr/iscsid.c
index b4bb65b..c0ea6fa 100644
--- a/usr/iscsid.c
+++ b/usr/iscsid.c
@@ -27,6 +27,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <signal.h>
+#include <grp.h>
 #include <sys/mman.h>
 #include <sys/utsname.h>
 #include <sys/types.h>
@@ -477,11 +478,25 @@ int main(int argc, char *argv[])
                }
        }
 
-       if (uid && setuid(uid) < 0)
-               perror("setuid\n");
+       if (gid && setgid(gid) < 0) {
+               log_error("Unable to setgid to %d\n", gid);
+               log_close(log_pid);
+               exit(ISCSI_ERR);
+       }
 
-       if (gid && setgid(gid) < 0)
-               perror("setgid\n");
+       if ((geteuid() == 0) && (getgroups(0, NULL))) {
+               if (setgroups(0, NULL) != 0) {
+                       log_error("Unable to drop supplementary group ids\n");
+                       log_close(log_pid);
+                       exit(ISCSI_ERR);
+               }
+       }
+
+       if (uid && setuid(uid) < 0) {
+               log_error("Unable to setuid to %d\n", uid);
+               log_close(log_pid);
+               exit(ISCSI_ERR);
+       }
 
        memset(&daemon_config, 0, sizeof (daemon_config));
        daemon_config.pid_file = pid_file;
-- 
1.8.1.4

-- 
You received this message because you are subscribed to the Google Groups 
"open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to open-iscsi+unsubscr...@googlegroups.com.
To post to this group, send email to open-iscsi@googlegroups.com.
Visit this group at http://groups.google.com/group/open-iscsi?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to