From ead09f111e83a004c0d4116461937f3b1ac03e89 Mon Sep 17 00:00:00 2001 From: Marcos Del Sol Vives Date: Thu, 24 Oct 2019 18:24:31 +0200 Subject: [PATCH 1/3] Inherit supplementary groups if no group has been specified --- src/sniproxy.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/sniproxy.c b/src/sniproxy.c index 9484294b..251618f9 100644 --- a/src/sniproxy.c +++ b/src/sniproxy.c @@ -233,11 +233,28 @@ drop_perms(const char *username, const char *groupname) { fatal("getgrnam(): group %s does not exist", groupname); gid = group->gr_gid; - } - /* drop any supplementary groups */ - if (setgroups(1, &gid) < 0) - fatal("setgroups(): %s", strerror(errno)); + /* drop any supplementary groups */ + if (setgroups(1, &gid) < 0) + fatal("setgroups(): %s", strerror(errno)); + } else { + /* if no group has been specified, load user's supplementary groups */ + int ngroups = 0; + if (getgrouplist(user->pw_name, user->pw_gid, NULL, &ngroups) != -1) + fatal("getgrouplist(): %s", strerror(errno)); + + gid_t *groups = malloc(ngroups * sizeof(gid_t)); + if (groups == NULL) + fatal("malloc(): %s", strerror(errno)); + + if (getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups) < 0) + fatal("getgrouplist(): %s", strerror(errno)); + + if (setgroups(ngroups, groups) < 0) + fatal("setgroups(): %s", strerror(errno)); + + free(groups); + } /* set the main gid */ if (setgid(gid) < 0) From dca7ed935cc1a14829f2fa24e522ef1d2685feb7 Mon Sep 17 00:00:00 2001 From: Marcos Del Sol Vives Date: Thu, 24 Oct 2019 18:35:37 +0200 Subject: [PATCH 2/3] Use returned group number from getgrouplist to avoid race conditions --- src/sniproxy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sniproxy.c b/src/sniproxy.c index 251618f9..697605c9 100644 --- a/src/sniproxy.c +++ b/src/sniproxy.c @@ -247,7 +247,8 @@ drop_perms(const char *username, const char *groupname) { if (groups == NULL) fatal("malloc(): %s", strerror(errno)); - if (getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups) < 0) + ngroups = getgrouplist(user->pw_name, user->pw_gid, groups, &ngroups); + if (ngroups < 0) fatal("getgrouplist(): %s", strerror(errno)); if (setgroups(ngroups, groups) < 0) From 25143ef5c80e038ab950164a5c7e706dd1455d8e Mon Sep 17 00:00:00 2001 From: Marcos Del Sol Vives Date: Fri, 25 Oct 2019 00:36:47 +0200 Subject: [PATCH 3/3] Added groupname to sniproxy.conf man file --- man/sniproxy.conf.5 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/man/sniproxy.conf.5 b/man/sniproxy.conf.5 index d553d25d..9aaf2be4 100644 --- a/man/sniproxy.conf.5 +++ b/man/sniproxy.conf.5 @@ -28,6 +28,21 @@ username daemon Specify the user sniproxy will run as. When sniproxy is launched as super user, it will drop permissions to this user. +.SS GROUPNAME + +.PP +.nf +groupname daemon +.fi +.PP + +Overrides the group sniproxy will run as. When sniproxy is launched as super +user, it will change its primary group to this, and drop all supplementary +groups. + +If this parameter is not specified, the primary group and supplementary groups +will be taken from the user sniproxy is running as. + .SS PIDFILE .PP