[Bacula-users] New (tested) drop patch

Kern Sibbald Sat, 08 Jul 2006 01:09:15 -0700

Hello,

Well Martin turned out to be right.  The order of the code in the previous 
patch that I send did not at all work on Linux.  I still think this must be 
Linux bug, but I also don't think that Linus is going to agree :-)


This time I have tested the patch here. I don't know why such simple things 
should be so complicated, because it is virtually impossible to guarantee 
that it works correctly.  

However, I am fairly confident that this new code will solve (or at least 
begin solving) the access problems we have been seeing when users run the Dir 
and SD as less privileged users/groups.

Feedback would be welcome.

Best regards,

Kern

  This patch will hopefully solve the problem of the group not
  being correctly initialized when a Bacula daemon does a to
  a new userid or a new groupid.

  It can be applied to most all versions of 1.38.x but in particular
  1.38.11 with the following:

  cd <bacula-source>
  patch -p0 <1.38.11-drop-2.patch
  make
  make install
  ...

Index: src/lib/bsys.c
===================================================================
RCS file: /cvsroot/bacula/bacula/src/lib/bsys.c,v
retrieving revision 1.42.2.4
diff -u -u -b -r1.42.2.4 bsys.c
--- src/lib/bsys.c	22 Dec 2005 21:35:24 -0000	1.42.2.4
+++ src/lib/bsys.c	8 Jul 2006 07:59:22 -0000
@@ -8,7 +8,7 @@
  *   Version $Id: bsys.c,v 1.42.2.4 2005/12/22 21:35:24 kerns Exp $
  */
 /*
-   Copyright (C) 2000-2005 Kern Sibbald
+   Copyright (C) 2000-2006 Kern Sibbald
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
@@ -600,38 +600,65 @@
 /*
  * Drop to privilege new userid and new gid if non-NULL
  */
-void drop(char *uid, char *gid)
+void drop(char *uname, char *gname)
 {
-#ifdef HAVE_GRP_H
-   if (gid) {
-      struct group *group;
-      gid_t gr_list[1];
+#if   defined(HAVE_PWD_H) && defined(HAVE_GRP_H)
+   struct passwd *passw = NULL;
+   struct group *group = NULL;
+   gid_t gid;
 
-      if ((group = getgrnam(gid)) == NULL) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not find specified group: %s\n"), gid);
+   Dmsg2(900, "uname=%s gname=%s\n", uname?uname:"NONE", gname?gname:"NONE");
+   if (!uname && !gname) {
+      return;                            /* Nothing to do */
       }
-      if (setgid(group->gr_gid)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
+
+   if (uname) {
+      if ((passw = getpwnam(uname)) == NULL) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not find userid=%s: ERR=%s\n"), uname,
+            be.strerror());
       }
-      gr_list[0] = group->gr_gid;
-      if (setgroups(1, gr_list)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified group: %s\n"), gid);
+   } else {
+      if ((passw = getpwuid(getuid())) == NULL) {
+         berrno be;
+         Emsg1(M_ERROR_TERM, 0, _("Could not find password entry. ERR=%s\n"),
+            be.strerror());
+      } else {
+         uname = passw->pw_name;
       }
    }
-#endif
-
-#ifdef HAVE_PWD_H
-   if (uid) {
-      struct passwd *passw;
-      if ((passw = getpwnam(uid)) == NULL) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not find specified userid: %s\n"), uid);
+   if (gname) {
+      if ((group = getgrnam(gname)) == NULL) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not find group=%s: ERR=%s\n"), gname,
+            be.strerror());
+      }
+      gid = group->gr_gid;
+   } else {
+      gid = passw->pw_gid;
+   }
+   if (initgroups(passw->pw_name, passw->pw_gid)) {
+      berrno be;
+      if (gname) {
+         Emsg3(M_ERROR_TERM, 0, _("Could not initgroups for group=%s, userid=%s: ERR=%s\n"),         
+            gname, uname, be.strerror());
+      } else {
+         Emsg2(M_ERROR_TERM, 0, _("Could not initgroups for userid=%s: ERR=%s\n"),         
+            uname, be.strerror());
+      }
+   }
+   if (gname) {
+      if (setgid(group->gr_gid)) {
+         berrno be;
+         Emsg2(M_ERROR_TERM, 0, _("Could not set group=%s: ERR=%s\n"), gname,
+            be.strerror());
       }
-      if (setuid(passw->pw_uid)) {
-         Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), uid);
       }
+   if (setuid(passw->pw_uid)) {
+      berrno be;
+      Emsg1(M_ERROR_TERM, 0, _("Could not set specified userid: %s\n"), uname);
    }
 #endif
-
 }

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

[Bacula-users] New (tested) drop patch

Reply via email to