From 1f3432b4db6ab787634fa5abc208a933a49ee4df Mon Sep 17 00:00:00 2001 From: Don Lewis Date: Wed, 21 Jun 2000 11:10:41 +0000 Subject: [PATCH] Initialize supplementary groups. Ensure that a LOG_NOTICE syslog is always generated when the program is invoked generated when the program is invoked an obvious error. Submitted by: Phil Pennock --- security/chrootuid/files/patch-ac | 137 ++++++++++++++++++++++++++++++ security/chrootuid/files/patch-ad | 11 +++ 2 files changed, 148 insertions(+) create mode 100644 security/chrootuid/files/patch-ac create mode 100644 security/chrootuid/files/patch-ad diff --git a/security/chrootuid/files/patch-ac b/security/chrootuid/files/patch-ac new file mode 100644 index 000000000000..46421c8f859a --- /dev/null +++ b/security/chrootuid/files/patch-ac @@ -0,0 +1,137 @@ +Message #30124 (162 lines) +From phil@globnix.org Fri Mar 31 01:56:37 2000 +Date: Fri, 31 Mar 2000 11:56:07 +0200 +From: Phil Pennock +To: truckman@FreeBSD.org, wietse@PORCUPINE.ORG +Subject: chrootuid patch for *BSD +Organisation: Organisation? Here? No, over there ----> +X-NIC-Handles: COCO-149560 (ignore PP8185) +X-Disclaimer: Any views expressed in this message, where not explicitly + attributed otherwise, are mine and mine alone. Such views + do not necessarily coincide with those of any organisation + or company with which I am or have been affiliated. +X-Phase-of-Moon: The Moon is Waning Crescent (20% of Full) +X-No-HTML: Phil Pennock +"We've got a patent on the conquering of a country through the use of force. + We believe in world peace through extortionate license fees." -Bluemeat + +--ikeVEW9yuYc//A+q +Content-Type: text/plain; charset=us-ascii +Content-Disposition: attachment; filename="chrootuid.patch" + +--- chrootuid.c.orig Fri Mar 31 10:56:38 2000 ++++ chrootuid.c Fri Mar 31 11:47:31 2000 +@@ -34,6 +34,7 @@ + /* VERSION/RELEASE + /* 1.2 + /*--*/ ++/* MODIFIED FROM ORIGINAL SOURCE! */ + + #ifndef lint + static char sccsid[] = "@(#) chrootuid.c 1.2 93/08/15 22:19:27"; +@@ -41,14 +42,25 @@ + + /* System libraries. */ + ++#include + #include + #include ++#include ++#ifdef USE_SYSCTL ++# include ++# include ++#else ++# ifndef NGROUPS ++# define NGROUPS 16 ++# endif ++#endif + +-main(argc, argv) +-int argc; +-char **argv; ++int ++main(int argc, char *argv[]) + { + struct passwd *pwd; ++ int *groups; ++ int ngroups; + + /* + * Open a channel to the syslog daemon. Older versions of openlog() +@@ -71,6 +83,10 @@ + syslog(LOG_ERR, "usage: %s path user command", argv[0]); + return (0); + } ++ ++ syslog(LOG_NOTICE, "chrootuid: dir(%s) user(%s) command(%s)", ++ argv[1], argv[2], argv[3]); ++ + /* Must step into the new subtree. */ + + if (chdir(argv[1])) { +@@ -83,6 +99,30 @@ + syslog(LOG_ERR, "%s: user unknown", argv[2]); + return (0); + } ++#ifdef USE_SYSCTL ++ { ++ int mib[2]; ++ size_t len; ++ ++ mib[0] = CTL_KERN; ++ mib[1] = KERN_NGROUPS; ++ len = sizeof(ngroups); ++ if (sysctl(mib, 2, &ngroups, &len, NULL, 0)) { ++ syslog(LOG_ERR, "failed to get kern.ngroups: %m"); ++ return (0); ++ } ++ } ++#else ++ ngroups = NGROUPS; ++#endif ++ if (!(groups = calloc(ngroups, sizeof(int)))) { ++ syslog(LOG_ERR, "failed to allocate memory: %m"); ++ return (0); ++ } ++ if (getgrouplist(argv[2], pwd->pw_gid, groups, &ngroups) == -1) { ++ syslog(LOG_WARNING, "failed to get all groups for user '%s': %m", ++ argv[2]); ++ } + /* Do the chroot() before giving away root privileges. */ + + if (chroot(argv[1])) { +@@ -94,6 +134,9 @@ + if (setgid(pwd->pw_gid)) { + syslog(LOG_ERR, "setgid(%d): %m", pwd->pw_gid); + return (0); ++ } ++ if (setgroups(ngroups, (const gid_t *)groups)) { ++ syslog(LOG_WARNING, "setgroups failed: %m"); + } + if (setuid(pwd->pw_uid)) { + syslog(LOG_ERR, "setuid(%d): %m", pwd->pw_uid); + +--ikeVEW9yuYc//A+q-- + diff --git a/security/chrootuid/files/patch-ad b/security/chrootuid/files/patch-ad new file mode 100644 index 000000000000..f1e08ba02f6e --- /dev/null +++ b/security/chrootuid/files/patch-ad @@ -0,0 +1,11 @@ +--- Makefile.orig Wed Jun 21 03:47:29 2000 ++++ Makefile Wed Jun 21 03:48:17 2000 +@@ -6,7 +6,7 @@ + all: chrootuid chrootuid.1 + + chrootuid: chrootuid.c +- $(CC) $(CFLAGS) -o $@ $? ++ $(CC) $(CFLAGS) -DUSE_SYSCTL -o $@ $? + + #chrootuid.1: chrootuid.c + # srctoman $? >$@