From 4034190b153aa685dc8d3a5a65eea731fc5f2252 Mon Sep 17 00:00:00 2001 From: Rayson Zhu Date: Mon, 28 Nov 2016 16:42:35 -0600 Subject: [PATCH] Change supplementary groups after setgid. (#977) --- src/utils.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/utils.c b/src/utils.c index 9f201450..2c874e30 100644 --- a/src/utils.c +++ b/src/utils.c @@ -35,6 +35,7 @@ #include #include +#include #include "utils.h" @@ -134,20 +135,25 @@ run_as(const char *user) if (setgid(pwd->pw_gid) != 0) { LOGE( "Could not change group id to that of run_as user '%s': %s", - user, strerror(errno)); + pwd->pw_name, strerror(errno)); + return 0; + } + + if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { + LOGE("Could not change supplementary groups for user '%s'.", pwd->pw_name); return 0; } if (setuid(pwd->pw_uid) != 0) { LOGE( "Could not change user id to that of run_as user '%s': %s", - user, strerror(errno)); + pwd->pw_name, strerror(errno)); return 0; } break; } else if (err != ERANGE) { if (err) { - LOGE("run_as user '%s' could not be found: %s", user, strerror( + LOGE("run_as user '%s' could not be found: %s", pwd->pw_name, strerror( err)); } else { LOGE("run_as user '%s' could not be found.", user); @@ -174,12 +180,16 @@ run_as(const char *user) /* setgid first, because we may not allowed to do it anymore after setuid */ if (setgid(pwd->pw_gid) != 0) { LOGE("Could not change group id to that of run_as user '%s': %s", - user, strerror(errno)); + pwd->pw_name, strerror(errno)); + return 0; + } + if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { + LOGE("Could not change supplementary groups for user '%s'.", pwd->pw_name); return 0; } if (setuid(pwd->pw_uid) != 0) { LOGE("Could not change user id to that of run_as user '%s': %s", - user, strerror(errno)); + pwd->pw_name, strerror(errno)); return 0; } #endif