Re: [Bacula-users] [Bacula-devel] New (tested) drop patch

[Kern Sibbald]

On Monday 10 July 2006 19:03, Martin Simmons wrote:
> >>>>> On Sat, 8 Jul 2006 10:09:02 +0200, Kern Sibbald said:
> >
> > Hello,
> >
> > Well Martin turned out to be right.  The order of the code in the
> > previous patch that I send did not at all work on Linux.  I still think
> > this must be Linux bug, but I also don't think that Linus is going to
> > agree :-)
> >
> > This time I have tested the patch here. I don't know why such simple
> > things should be so complicated, because it is virtually impossible to
> > guarantee that it works correctly.
> >
> > However, I am fairly confident that this new code will solve (or at least
> > begin solving) the access problems we have been seeing when users run the
> > Dir and SD as less privileged users/groups.
> >
> > Feedback would be welcome.
>
> It doesn't quite work (on FreeBSD 4.9 at least).  The problem is that the
> static pointer returned by getgrnam() is corrupted by the call to
> initgroups() and hence the call to setgid() sets the wrong group.
>
> Maybe you want to use the variable gid? :-)

Yes, good point.  Many thanks.  The same problem applies to uname (in some 
cases) and to pw_uid.  I've moved all those variables on to the stack.

Regards, 

Kern

  This patch will hopefully solve the problem of the group not
  being correctly initialized when a Bacula daemon does a to
  a new userid or a new groupid.

  It can be applied to most all versions of 1.38.x but in particular
  1.38.11 with the following:

  cd <bacula-source>
  patch -p0 <1.38.11-drop-3.patch
  make
  make install
  ...

Index: src/lib/bsys.c
===================================================================
RCS file: /cvsroot/bacula/bacula/src/lib/bsys.c,v
retrieving revision 1.42.2.4
diff -u -u -r1.42.2.4 bsys.c
--- src/lib/bsys.c	22 Dec 2005 21:35:24 -0000	1.42.2.4
+++ src/lib/bsys.c	10 Jul 2006 19:14:41 -0000
@@ -8,7 +8,7 @@
  *   Version $Id: bsys.c,v 1.42.2.4 2005/12/22 21:35:24 kerns Exp $
  */
 /*
-   Copyright (C) 2000-2005 Kern Sibbald
+   Copyright (C) 2000-2006 Kern Sibbald
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
@@ -600,38 +600,69 @@
 /*
  * Drop to privilege new userid and new gid if non-NULL
  */
-void drop(char *uid, char *gid)
+void drop(char *uname, char *gname)
 {
-#ifdef HAVE_GRP_H
-   if (gid) {
-      struct group *group;
-      gid_t gr_list[1];
-
-      if ((group = getgrnam(gid)) == NULL) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not find specified group: %s\n"), gid);
-      }
-      if (setgid(group->gr_gid)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
-      }
-      gr_list[0] = group->gr_gid;
-      if (setgroups(1, gr_list)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
-      }
+#if   defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+   struct passwd *passw = NULL;
+   struct group *group = NULL;
+   gid_t gid;
+   uid_t uid;
+   char username[1000];         
+
+   Dmsg2(900, "uname=%s gname=%s\n", uname?uname:"NONE", gname?gname:"NONE");
+   if (!uname && !gname) {
+      return;                            /* Nothing to do */
    }
-#endif
 
-#ifdef HAVE_PWD_H
-   if (uid) {
-      struct passwd *passw;
-      if ((passw = getpwnam(uid)) == NULL) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not find specified userid: %s\n"), uid);
+   if (uname) {
+      if ((passw = getpwnam(uname)) == NULL) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not find userid=%s: ERR=%s\n"), uname,
+            be.strerror());
       }
-      if (setuid(passw->pw_uid)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), uid);
+   } else {
+      if ((passw = getpwuid(getuid())) == NULL) {
+         berrno be;
+         Emsg1(M_ERROR_TERM, 0, _("Could not find password entry. ERR=%s\n"),
+            be.strerror());
+      } else {
+         uname = passw->pw_name;
+      }
+   }
+   /* Any OS uname pointer may get overwritten, so save name, uid, and gid */
+   bstrncpy(username, uname, sizeof(username));
+   uid = passw->pw_uid;
+   gid = passw->pw_gid;
+   if (gname) {
+      if ((group = getgrnam(gname)) == NULL) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not find group=%s: ERR=%s\n"), gname,
+            be.strerror());
       }
+      gid = group->gr_gid;
+   }
+   if (initgroups(username, gid)) {
+      berrno be;
+      if (gname) {
+         Emsg3(M_ERROR_TERM, 0, _("Could not initgroups for group=%s, userid=%s: ERR=%s\n"),         
+            gname, username, be.strerror());
+      } else {
+         Emsg2(M_ERROR_TERM, 0, _("Could not initgroups for userid=%s: ERR=%s\n"),         
+            username, be.strerror());
+      }
+   }
+   if (gname) {
+      if (setgid(gid)) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not set group=%s: ERR=%s\n"), gname,
+            be.strerror());
+      }
+   }
+   if (setuid(uid)) {
+      berrno be;
+      Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), username);
    }
 #endif
-
 }
 
 

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users