Project

General

Profile

spawn-fcgi-allow-uids.patch

new patch, old one got broken by [2010] - hoffie, 2007-11-29 21:21

View differences:

src/spawn-fcgi.c (working copy)
408 408
	if (i_am_root) {
409 409
		struct group *grp = NULL;
410 410
		struct passwd *pwd = NULL;
411
		unsigned int uid = 0;
412
		unsigned int gid = 0;
411 413

  
412 414
		/* set user and group */
413 415

  
414 416
		if (username) {
415
			if (NULL == (pwd = getpwnam(username))) {
416
				fprintf(stderr, "%s.%d: %s, %s\n",
417
					__FILE__, __LINE__,
418
					"can't find username", username);
419
				return -1;
417
			/* do we already have an id? */
418
			if (sscanf(username, "%u", &uid) == 1) {
419
				username = NULL;
420
				if (!groupname) {
421
					fprintf(stderr, "%s.%d: %s\n",
422
						__FILE__, __LINE__,
423
						"passing a uid also requires passing a groupname/gid\n");
424
					return -1;
425
				}
426
			} else {
427
				if (NULL == (pwd = getpwnam(username))) {
428
					fprintf(stderr, "%s.%d: %s, %s\n",
429
						__FILE__, __LINE__,
430
						"can't find username", username);
431
					return -1;
432
				}
433
				uid = pwd->pw_uid;
420 434
			}
421

  
422
			if (pwd->pw_uid == 0) {
423
				fprintf(stderr, "%s.%d: %s\n",
424
					__FILE__, __LINE__,
425
					"I will not set uid to 0\n");
426
				return -1;
427
			}
435
 		}
436
		if (uid == 0) {
437
			fprintf(stderr, "%s.%d: %s\n",
438
				__FILE__, __LINE__,
439
				"I will not set uid to 0\n");
440
			return -1;
428 441
		}
429

  
442
 
430 443
		if (groupname) {
431
			if (NULL == (grp = getgrnam(groupname))) {
432
				fprintf(stderr, "%s.%d: %s %s\n",
433
					__FILE__, __LINE__,
434
					"can't find groupname",
435
					groupname);
436
				return -1;
444
			/* do we already have an id? */
445
			if (sscanf(groupname, "%u", &gid) == 1) {
446
				groupname = NULL;
447
			} else {
448
				if (NULL == (grp = getgrnam(groupname))) {
449
					fprintf(stderr, "%s.%d: %s %s\n",
450
						__FILE__, __LINE__,
451
						"can't find groupname",
452
						groupname);
453
					return -1;
454
				}
455
				gid = grp->gr_gid;
437 456
			}
438
			if (grp->gr_gid == 0) {
439
				fprintf(stderr, "%s.%d: %s\n",
440
					__FILE__, __LINE__,
441
					"I will not set gid to 0\n");
442
				return -1;
443
			}
457
		}
444 458

  
445
			/* do the change before we do the chroot() */
446
			setgid(grp->gr_gid);
447
			setgroups(0, NULL); 
448

  
449
			if (username) {
450
				initgroups(username, grp->gr_gid);
451
			}
452

  
459
		if (gid == 0) {
460
			fprintf(stderr, "%s.%d: %s\n",
461
				__FILE__, __LINE__,
462
				"I will not set gid to 0\n");
463
			return -1;
453 464
		}
454

  
465
 
455 466
		if (changeroot) {
456 467
			if (-1 == chroot(changeroot)) {
457 468
				fprintf(stderr, "%s.%d: %s %s\n",
......
468 479
		}
469 480

  
470 481
		/* drop root privs */
471
		if (username) {
472
			setuid(pwd->pw_uid);
482
		if (gid) {
483
			setgid(gid);
484
  		}
485
		if (uid) {
486
			if (gid) {
487
				if (username) {
488
					initgroups(username, gid);
489
				} else {
490
					setgroups(0, (const gid_t*)NULL);
491
				}
492
  			}
493
			setuid(uid);
473 494
		}
474 495
	}
475

  
476
       return fcgi_spawn_connection(fcgi_app, fcgi_app_argv, addr, port, unixsocket, fork_count, child_count, pid_fd, nofork);
496
	return fcgi_spawn_connection(fcgi_app, fcgi_app_argv, addr, port, unixsocket, fork_count, child_count, pid_fd, nofork);
477 497
}
478 498
#else
479 499
int main() {