diff options
-rw-r--r-- | src/config.c | 15 | ||||
-rw-r--r-- | src/fastd.c | 23 | ||||
-rw-r--r-- | src/fastd.h | 3 |
3 files changed, 36 insertions, 5 deletions
diff --git a/src/config.c b/src/config.c index 2d387f3..b857d60 100644 --- a/src/config.c +++ b/src/config.c @@ -848,6 +848,20 @@ static void configure_user(fastd_context_t *ctx, fastd_config_t *conf) { conf->gid = grpr->gr_gid; } + + if (conf->user) { + int ngroups = 0; + if (getgrouplist(conf->user, conf->gid, NULL, &ngroups) < 0) { + /* the user has supplementary groups */ + + conf->groups = calloc(ngroups, sizeof(gid_t)); + if (getgrouplist(conf->user, conf->gid, conf->groups, &ngroups) < 0) + exit_errno(ctx, "getgrouplist"); + + conf->n_groups = ngroups; + } + } + } void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char *const argv[]) { @@ -1036,6 +1050,7 @@ void fastd_config_release(fastd_context_t *ctx, fastd_config_t *conf) { free(conf->user); free(conf->group); + free(conf->groups); free(conf->ifname); free(conf->secret); free(conf->on_up); diff --git a/src/fastd.c b/src/fastd.c index 22d64b9..3b72922 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -1037,11 +1037,6 @@ static void set_user(fastd_context_t *ctx) { if (setgid(ctx->conf->gid) < 0) exit_errno(ctx, "setgid"); - if (setgroups(1, &ctx->conf->gid) < 0) { - if (errno != EPERM) - pr_debug_errno(ctx, "setgroups"); - } - if (setuid(ctx->conf->uid) < 0) exit_errno(ctx, "setuid"); @@ -1049,6 +1044,21 @@ static void set_user(fastd_context_t *ctx) { } } +static void set_groups(fastd_context_t *ctx) { + if (ctx->conf->groups) { + if (setgroups(ctx->conf->n_groups, ctx->conf->groups) < 0) { + if (errno != EPERM) + pr_debug_errno(ctx, "setgroups"); + } + } + else if (ctx->conf->user || ctx->conf->group) { + if (setgroups(1, &ctx->conf->gid) < 0) { + if (errno != EPERM) + pr_debug_errno(ctx, "setgroups"); + } + } +} + static void drop_caps(fastd_context_t *ctx) { set_user(ctx); fastd_cap_drop(ctx); @@ -1089,6 +1099,9 @@ int main(int argc, char *argv[]) { fastd_cap_init(&ctx); + /* change groups early as the can be relevant for file access (for PID file & log files) */ + set_groups(&ctx); + crypto_init(&ctx); init_sockets(&ctx); diff --git a/src/fastd.h b/src/fastd.h index df84c97..5323c1c 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -199,8 +199,11 @@ struct fastd_config { char *user; char *group; + uid_t uid; gid_t gid; + size_t n_groups; + gid_t *groups; const fastd_protocol_t *protocol; const fastd_method_t *methods[MAX_METHODS]; |