diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2009-02-25 22:51:33 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2009-02-25 22:51:33 +0200 |
commit | 2e027ea167726a3af7d9db366acef266752c6b1b (patch) | |
tree | d71b14fc10bc55d887e855c8c4e1283fadbd8025 | |
parent | 27d1256d331d45bf68d96e9a8aa8175df2584978 (diff) | |
download | wydawca-2e027ea167726a3af7d9db366acef266752c6b1b.tar.gz wydawca-2e027ea167726a3af7d9db366acef266752c6b1b.tar.bz2 |
Fix privilege selection
-rw-r--r-- | src/directive.c | 4 | ||||
-rw-r--r-- | src/diskio.c | 4 | ||||
-rw-r--r-- | src/triplet.c | 4 | ||||
-rw-r--r-- | src/verify.c | 10 | ||||
-rw-r--r-- | src/wydawca.c | 26 | ||||
-rw-r--r-- | src/wydawca.h | 4 |
6 files changed, 41 insertions, 11 deletions
diff --git a/src/directive.c b/src/directive.c index ccea1ef..2915fee 100644 --- a/src/directive.c +++ b/src/directive.c @@ -334,15 +334,15 @@ process_directives (struct file_triplet *trp, const struct spool *spool) trp->file[file_directive].name, val); return 1; } break; case filename_dir: - wydawca_set_uid (0); + wydawca_set_root_privs (); rc = verify_detached_signature (trp, spool); - wydawca_set_uid (TRIPLET_UID (trp)); + wydawca_set_triplet_privs (trp); if (rc == 0) { if (move_file (trp, spool, file_dist, relative_dir) || move_file (trp, spool, file_signature, relative_dir)) return 1; } diff --git a/src/diskio.c b/src/diskio.c index c068e49..fbd1050 100644 --- a/src/diskio.c +++ b/src/diskio.c @@ -121,15 +121,15 @@ create_directory (const char *base, const char *name, uid_t uid, gid_t gid) size_t baselen; char *dir = concat_dir (base, name, &baselen); if (!dry_run_mode) { int rc; - wydawca_set_uid (0); + wydawca_set_root_privs (); rc = create_hierarchy (dir, baselen, uid, gid); - wydawca_set_uid (uid); + wydawca_set_privs (uid, gid); if (rc) { free (dir); dir = NULL; } } diff --git a/src/triplet.c b/src/triplet.c index a79d28a..614e2b5 100644 --- a/src/triplet.c +++ b/src/triplet.c @@ -196,16 +196,16 @@ triplet_processor (void *data, void *proc_data) switch (check_triplet_state (trp)) { case triplet_directive: case triplet_complete: if (debug_level) logmsg (LOG_DEBUG, _("processing triplet `%s'"), trp->name); - if (wydawca_set_uid (TRIPLET_UID (trp)) == 0) + if (wydawca_set_triplet_privs (trp) == 0) { process_directives (trp, spool); - wydawca_set_uid (0); + wydawca_set_root_privs (); } return true; case triplet_incomplete: if (debug_level) logmsg (LOG_DEBUG, _("%s: incomplete triplet"), trp->name); diff --git a/src/verify.c b/src/verify.c index 522b865..d419df5 100644 --- a/src/verify.c +++ b/src/verify.c @@ -98,16 +98,22 @@ check_access_rights (struct file_triplet *trp, const struct spool *spool, struct access_method *method = spool->access_method[verify_method]; int rc; char *command; const char *result; struct metadef def[5]; void *md; - + struct group *grp; + if (fill_project_name (trp)) return 1; - + grp = getgrnam (trp->project); + if (grp) + trp->gid = grp->gr_gid; + else + logmsg (LOG_NOTICE, _("no such group: %s"), trp->project); + if (debug_level) logmsg (LOG_DEBUG, _("verifying access rights for user %s to project %s"), user, trp->project); md = method_open (method); if (!md) diff --git a/src/wydawca.c b/src/wydawca.c index b121959..48c27e9 100644 --- a/src/wydawca.c +++ b/src/wydawca.c @@ -262,13 +262,13 @@ collect_uids (int argc, char **argv) else uidv[i] = pw->pw_uid; } } -int +static int wydawca_set_uid (uid_t uid) { int rc; if (getuid () != 0) return 0; @@ -284,13 +284,13 @@ wydawca_set_uid (uid_t uid) if (rc < 0) logmsg (LOG_ERR, _("cannot switch to UID %d: %s (r=%d, e=%d)"), uid, strerror (errno), getuid (), geteuid ()); return rc; } -int +static int wydawca_set_gid (gid_t gid) { int rc; if (getuid () != 0) return 0; @@ -306,12 +306,34 @@ wydawca_set_gid (gid_t gid) if (rc < 0) logmsg (LOG_ERR, _("cannot switch to GID %d: %s (r=%d, e=%d)"), gid, strerror (errno), getgid (), getegid ()); return rc; } +int +wydawca_set_privs (uid_t uid, gid_t gid) +{ + if (wydawca_set_gid (gid)) + return -1; + if (wydawca_set_uid (uid)) + return -1; + return 0; +} + +int +wydawca_set_triplet_privs (struct file_triplet *trp) +{ + return wydawca_set_privs (TRIPLET_UID (trp), TRIPLET_GID (trp)); +} + +int +wydawca_set_root_privs () +{ + return wydawca_set_privs (0, 0); +} + char **x_argv; extern int reconfigure; void wydawca_daemon () diff --git a/src/wydawca.h b/src/wydawca.h index 863200f..f786271 100644 --- a/src/wydawca.h +++ b/src/wydawca.h @@ -425,13 +425,15 @@ int directive_next (struct file_triplet *trp, int n, const char **pkey, const char **pval); int process_directives (struct file_triplet *trp, const struct spool *spool); int enabled_spool_p (const struct spool *spool); -int wydawca_set_uid (uid_t uid); +int wydawca_set_privs (uid_t uid, gid_t gid); +int wydawca_set_triplet_privs (struct file_triplet *trp); +int wydawca_set_root_privs (void); int parse_time_interval (const char *str, time_t *pint, const char **endp); /* config.c */ |