Date: Mon, 29 Jan 2007 21:30:22 GMT From: Mike Pritchard <mpp@mppsystems.com> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/108523: [patch] daemon(8): support for dropping privileges Message-ID: <200701292130.l0TLUM2r093285@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/108523; it has been noted by GNATS. From: Mike Pritchard <mpp@mail.mppsystems.com> To: Dmitri Alenitchev <dmitri@dworlds.ru> Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: bin/108523: [patch] daemon(8): support for dropping privileges Date: Mon, 29 Jan 2007 14:59:21 -0600 On Mon, Jan 29, 2007 at 09:13:23PM +0300, Dmitri Alenitchev wrote: > > >Number: 108523 > >Category: bin > >Synopsis: [patch] daemon(8): support for dropping privileges > >Description: > support for dropping privileges to specified user and/or group > >How-To-Repeat: > > >Fix: > @@ -109,9 +126,32 @@ > } > > static void > +restrict_process(const char *user, const char *group) > +{ > + struct group *gr = NULL; > + struct passwd *pw = NULL; > + errno = 0; > + > + if (group != NULL) { > + if ((gr = getgrnam(group)) == NULL) > + errx(1, "Group %s does not exist", group); > + if (setregid(gr->gr_gid, gr->gr_gid) == -1) > + err(1, "%s", group); > + } > + > + if (user != NULL) { > + if ((pw = getpwnam(user)) == NULL) > + errx(1, "User %s does not exist", user); > + if (setreuid(pw->pw_uid, pw->pw_uid) == -1) > + err(1, "%s", user); > + } > +} The group list should also be set with initgroups(). And I think setgid() and setuid() are the preferred methods of changing the gid/uid, not setre*id(). -- Mike Pritchard mpp @ mppsystems.com or mpp @ FreeBSD.org "If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy." - James Madison (1787)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701292130.l0TLUM2r093285>