summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/config.c15
-rw-r--r--src/fastd.c23
-rw-r--r--src/fastd.h3
3 files changed, 36 insertions, 5 deletions
diff --git a/src/config.c b/src/config.c
index 2d387f3..b857d60 100644
--- a/src/config.c
+++ b/src/config.c
@@ -848,6 +848,20 @@ static void configure_user(fastd_context_t *ctx, fastd_config_t *conf) {
conf->gid = grpr->gr_gid;
}
+
+ if (conf->user) {
+ int ngroups = 0;
+ if (getgrouplist(conf->user, conf->gid, NULL, &ngroups) < 0) {
+ /* the user has supplementary groups */
+
+ conf->groups = calloc(ngroups, sizeof(gid_t));
+ if (getgrouplist(conf->user, conf->gid, conf->groups, &ngroups) < 0)
+ exit_errno(ctx, "getgrouplist");
+
+ conf->n_groups = ngroups;
+ }
+ }
+
}
void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char *const argv[]) {
@@ -1036,6 +1050,7 @@ void fastd_config_release(fastd_context_t *ctx, fastd_config_t *conf) {
free(conf->user);
free(conf->group);
+ free(conf->groups);
free(conf->ifname);
free(conf->secret);
free(conf->on_up);
diff --git a/src/fastd.c b/src/fastd.c
index 22d64b9..3b72922 100644
--- a/src/fastd.c
+++ b/src/fastd.c
@@ -1037,11 +1037,6 @@ static void set_user(fastd_context_t *ctx) {
if (setgid(ctx->conf->gid) < 0)
exit_errno(ctx, "setgid");
- if (setgroups(1, &ctx->conf->gid) < 0) {
- if (errno != EPERM)
- pr_debug_errno(ctx, "setgroups");
- }
-
if (setuid(ctx->conf->uid) < 0)
exit_errno(ctx, "setuid");
@@ -1049,6 +1044,21 @@ static void set_user(fastd_context_t *ctx) {
}
}
+static void set_groups(fastd_context_t *ctx) {
+ if (ctx->conf->groups) {
+ if (setgroups(ctx->conf->n_groups, ctx->conf->groups) < 0) {
+ if (errno != EPERM)
+ pr_debug_errno(ctx, "setgroups");
+ }
+ }
+ else if (ctx->conf->user || ctx->conf->group) {
+ if (setgroups(1, &ctx->conf->gid) < 0) {
+ if (errno != EPERM)
+ pr_debug_errno(ctx, "setgroups");
+ }
+ }
+}
+
static void drop_caps(fastd_context_t *ctx) {
set_user(ctx);
fastd_cap_drop(ctx);
@@ -1089,6 +1099,9 @@ int main(int argc, char *argv[]) {
fastd_cap_init(&ctx);
+ /* change groups early as the can be relevant for file access (for PID file & log files) */
+ set_groups(&ctx);
+
crypto_init(&ctx);
init_sockets(&ctx);
diff --git a/src/fastd.h b/src/fastd.h
index df84c97..5323c1c 100644
--- a/src/fastd.h
+++ b/src/fastd.h
@@ -199,8 +199,11 @@ struct fastd_config {
char *user;
char *group;
+
uid_t uid;
gid_t gid;
+ size_t n_groups;
+ gid_t *groups;
const fastd_protocol_t *protocol;
const fastd_method_t *methods[MAX_METHODS];