summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2019-07-24 11:15:42 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2019-07-24 11:15:42 +0000
commit7c228abccd8fbb79c6aa41179069cac1abae8ac1 (patch)
treedfd9ea180799219f1357e8d4ce23602e6765e2ef
parent3ea6a4d085262d69379b4946b3e990dc0b613f65 (diff)
downloadnsss-7c228abccd8fbb79c6aa41179069cac1abae8ac1.tar.xz
nsssd: always drop privileges to the client's
Diffstat
-rw-r--r--src/nsssd/nsssd_main.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/src/nsssd/nsssd_main.c b/src/nsssd/nsssd_main.c
index cc8a3f4..b26a74a 100644
--- a/src/nsssd/nsssd_main.c
+++ b/src/nsssd/nsssd_main.c
@@ -2,10 +2,13 @@
#include <string.h>
#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
#include <skalibs/posixishard.h>
#include <skalibs/uint32.h>
#include <skalibs/uint64.h>
+#include <skalibs/types.h>
#include <skalibs/buffer.h>
#include <skalibs/strerr2.h>
#include <skalibs/tai.h>
@@ -382,7 +385,25 @@ static inline void do_spnam (void *a)
int nsssd_main (char const *const *argv, char const *const *envp)
{
- void *a = nsssd_handle_init() ;
+ void *a ;
+
+ /* If root, drop privileges to the client's, because shadow */
+
+ if (!geteuid())
+ {
+ uid_t uid ;
+ gid_t gid ;
+ char const *x = getenv("IPCREMOTEEGID") ;
+ if (!x) strerr_dienotset(100, "IPCREMOTEEGID") ;
+ if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, "IPCREMOTEEGID") ;
+ if (setgid(gid) == -1) strerr_diefu2sys(111, "setgid to ", x) ;
+ x = getenv("IPCREMOTEEUID") ;
+ if (!x) strerr_dienotset(100, "IPCREMOTEEUID") ;
+ if (!uid0_scan(x, &uid)) strerr_dieinvalid(100, "IPCREMOTEEUID") ;
+ if (setuid(uid) == -1) strerr_diefu2sys(111, "setuid to ", x) ;
+ }
+
+ a = nsssd_handle_init() ;
if (ndelay_on(0) < 0) strerr_diefu1sys(111, "set stdin non-blocking") ;
tain_now_g() ;
if (!nsssd_handle_start(a, argv, envp))
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-19 21:32:43 +0000