mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-21 01:12:26 +08:00
Update.
2002-01-17 Ulrich Drepper <drepper@redhat.com> * nscd/nscd.c (drop_privileges): Removed. Adjust caller. * nscd/connections.c (begin_drop_privileges): New function. (finish_drop_privileges): New function. (nscd_init): Call the new functions which also install all groups for the server user. 2002-01-17 H.J. Lu <hjl@gnu.org> * sysdeps/mips/dl-machine.h (__dl_runtime_resolve): Remove `const' from `got'.
This commit is contained in:
parent
52831fb870
commit
057685e461
13
ChangeLog
13
ChangeLog
@ -1,3 +1,16 @@
|
||||
2002-01-17 Ulrich Drepper <drepper@redhat.com>
|
||||
|
||||
* nscd/nscd.c (drop_privileges): Removed. Adjust caller.
|
||||
* nscd/connections.c (begin_drop_privileges): New function.
|
||||
(finish_drop_privileges): New function.
|
||||
(nscd_init): Call the new functions which also install all groups
|
||||
for the server user.
|
||||
|
||||
2002-01-17 H.J. Lu <hjl@gnu.org>
|
||||
|
||||
* sysdeps/mips/dl-machine.h (__dl_runtime_resolve): Remove
|
||||
`const' from `got'.
|
||||
|
||||
2002-01-17 Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||
|
||||
* sysdeps/unix/sysv/linux/s390/s390-64/getcontext.S: Use 64 bit
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* Inner loops of cache daemon.
|
||||
Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
|
||||
Copyright (C) 1998, 1999, 2000, 2001, 2002 Free Software Foundation, Inc.
|
||||
This file is part of the GNU C Library.
|
||||
Contributed by Ulrich Drepper <drepper@cygnus.com>, 1998.
|
||||
|
||||
@ -21,7 +21,10 @@
|
||||
#include <assert.h>
|
||||
#include <error.h>
|
||||
#include <errno.h>
|
||||
#include <grp.h>
|
||||
#include <pthread.h>
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <libintl.h>
|
||||
@ -35,6 +38,24 @@
|
||||
#include "nscd.h"
|
||||
#include "dbg_log.h"
|
||||
|
||||
/* Wrapper functions with error checking for standard functions. */
|
||||
extern void *xmalloc (size_t n);
|
||||
extern void *xcalloc (size_t n, size_t s);
|
||||
extern void *xrealloc (void *o, size_t n);
|
||||
|
||||
/* Support to run nscd as an unprivileged user */
|
||||
const char *server_user;
|
||||
static uid_t server_uid;
|
||||
static gid_t server_gid;
|
||||
static gid_t *server_groups;
|
||||
#ifndef NGROUPS
|
||||
# define NGROUPS 32
|
||||
#endif
|
||||
static int server_ngroups = NGROUPS;
|
||||
|
||||
static void begin_drop_privileges (void);
|
||||
static void finish_drop_privileges (void);
|
||||
|
||||
|
||||
/* Mapping of request type to database. */
|
||||
static const dbtype serv2db[LASTDBREQ + 1] =
|
||||
@ -125,6 +146,19 @@ nscd_init (const char *conffile)
|
||||
dbg_log (_("cannot read configuration file; this is fatal"));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/* Secure mode and unprivileged mode are incompatible */
|
||||
if (server_user != NULL && secure_in_use)
|
||||
{
|
||||
dbg_log (_("Cannot run nscd in secure mode as unprivileged user"));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/* Look up unprivileged uid/gid/groups before we start listening on the
|
||||
socket */
|
||||
if (server_user != NULL)
|
||||
begin_drop_privileges ();
|
||||
|
||||
if (nthreads == -1)
|
||||
/* No configuration for this value, assume a default. */
|
||||
nthreads = 2 * lastdb;
|
||||
@ -184,6 +218,10 @@ nscd_init (const char *conffile)
|
||||
strerror (errno));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
/* Change to unprivileged uid/gid/groups if specifed in config file */
|
||||
if (server_user != NULL)
|
||||
finish_drop_privileges ();
|
||||
}
|
||||
|
||||
|
||||
@ -535,3 +573,68 @@ start_threads (void)
|
||||
|
||||
nscd_run ((void *) 0);
|
||||
}
|
||||
|
||||
|
||||
/* Look up the uid, gid, and supplementary groups to run nscd as. When
|
||||
this function is called, we are not listening on the nscd socket yet so
|
||||
we can just use the ordinary lookup functions without causing a lockup */
|
||||
static void
|
||||
begin_drop_privileges (void)
|
||||
{
|
||||
struct passwd *pwd;
|
||||
|
||||
pwd = getpwnam (server_user);
|
||||
|
||||
if (pwd == NULL)
|
||||
{
|
||||
dbg_log (_("Failed to run nscd as user '%s'"), server_user);
|
||||
error (EXIT_FAILURE, 0, _("Failed to run nscd as user '%s'"),
|
||||
server_user);
|
||||
}
|
||||
|
||||
server_uid = pwd->pw_uid;
|
||||
server_gid = pwd->pw_gid;
|
||||
|
||||
server_groups = (gid_t *) xmalloc (server_ngroups * sizeof (gid_t));
|
||||
|
||||
if (getgrouplist (server_user, server_gid, server_groups, &server_ngroups)
|
||||
== 0)
|
||||
return;
|
||||
|
||||
server_groups = (gid_t *) xrealloc (server_groups,
|
||||
server_ngroups * sizeof (gid_t));
|
||||
|
||||
if (getgrouplist (server_user, server_gid, server_groups, &server_ngroups)
|
||||
== -1)
|
||||
{
|
||||
dbg_log (_("Failed to run nscd as user '%s'"), server_user);
|
||||
error (EXIT_FAILURE, errno, _("getgrouplist failed"));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* Call setgroups(), setgid(), and setuid() to drop root privileges and
|
||||
run nscd as the user specified in the configuration file. */
|
||||
static void
|
||||
finish_drop_privileges (void)
|
||||
{
|
||||
if (setgroups (server_ngroups, server_groups) == -1)
|
||||
{
|
||||
dbg_log (_("Failed to run nscd as user '%s'"), server_user);
|
||||
error (EXIT_FAILURE, errno, _("setgroups failed"));
|
||||
}
|
||||
|
||||
if (setgid (server_gid) == -1)
|
||||
{
|
||||
dbg_log (_("Failed to run nscd as user '%s'"), server_user);
|
||||
perror ("setgid");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
if (setuid (server_uid) == -1)
|
||||
{
|
||||
dbg_log (_("Failed to run nscd as user '%s'"), server_user);
|
||||
perror ("setuid");
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
|
41
nscd/nscd.c
41
nscd/nscd.c
@ -23,11 +23,9 @@
|
||||
#include <assert.h>
|
||||
#include <errno.h>
|
||||
#include <error.h>
|
||||
#include <grp.h>
|
||||
#include <libintl.h>
|
||||
#include <locale.h>
|
||||
#include <pthread.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@ -63,7 +61,6 @@ int do_shutdown;
|
||||
int disabled_passwd;
|
||||
int disabled_group;
|
||||
int go_background = 1;
|
||||
const char *server_user;
|
||||
|
||||
int secure[lastdb];
|
||||
int secure_in_use;
|
||||
@ -71,7 +68,6 @@ static const char *conffile = _PATH_NSCDCONF;
|
||||
|
||||
static int check_pid (const char *file);
|
||||
static int write_pid (const char *file);
|
||||
static void drop_privileges (void);
|
||||
|
||||
/* Name and version of program. */
|
||||
static void print_version (FILE *stream, struct argp_state *state);
|
||||
@ -169,10 +165,6 @@ main (int argc, char **argv)
|
||||
/* Init databases. */
|
||||
nscd_init (conffile);
|
||||
|
||||
/* Change to unprivileged UID if specifed in config file */
|
||||
if(server_user && !secure_in_use)
|
||||
drop_privileges ();
|
||||
|
||||
/* Handle incoming requests */
|
||||
start_threads ();
|
||||
|
||||
@ -373,36 +365,3 @@ write_pid (const char *file)
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Look up the uid and gid associated with the user we are supposed to run
|
||||
the server as, and then call setgid(), setgroups(), and setuid().
|
||||
Otherwise, abort- we should not run as root if the configuration file
|
||||
specifically tells us not to. */
|
||||
|
||||
static void
|
||||
drop_privileges (void)
|
||||
{
|
||||
int buflen = 256;
|
||||
char *buffer = alloca (buflen);
|
||||
struct passwd resultbuf;
|
||||
struct passwd *pwd;
|
||||
|
||||
while (__getpwnam_r (server_user, &resultbuf, buffer, buflen, &pwd) != 0
|
||||
&& errno == ERANGE)
|
||||
{
|
||||
errno = 0;
|
||||
buflen += 256;
|
||||
buffer = alloca (buflen);
|
||||
}
|
||||
|
||||
if(!pwd)
|
||||
{
|
||||
dbg_log (_("Failed to look up user '%s' to run server as"),
|
||||
server_user);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
setgroups (0, NULL);
|
||||
setgid (pwd->pw_gid);
|
||||
setuid (pwd->pw_uid);
|
||||
}
|
||||
|
@ -276,8 +276,8 @@ __dl_runtime_resolve (ElfW(Word) sym_index, \
|
||||
= (const void *) D_PTR (l, l_info[DT_SYMTAB]); \
|
||||
const char *strtab \
|
||||
= (const void *) D_PTR (l, l_info[DT_STRTAB]); \
|
||||
const ElfW(Addr) *got \
|
||||
= (const ElfW(Addr) *) D_PTR (l, l_info[DT_PLTGOT]); \
|
||||
ElfW(Addr) *got \
|
||||
= (ElfW(Addr) *) D_PTR (l, l_info[DT_PLTGOT]); \
|
||||
const ElfW(Word) local_gotno \
|
||||
= (const ElfW(Word)) l->l_info[DT_MIPS (LOCAL_GOTNO)]->d_un.d_val; \
|
||||
const ElfW(Word) gotsym \
|
||||
|
Loading…
Reference in New Issue
Block a user