Martin Simmons wrote:
>>>>>>On Sat, 8 Jul 2006 10:09:02 +0200, Kern Sibbald said:
>>
>>Hello,
>>
>>Well Martin turned out to be right. The order of the code in the previous
>>patch that I send did not at all work on Linux. I still think this must be
>>Linux bug, but I also don't think that Linus is going to agree :-)
Well all OSes I know of (FreeBSD, SunOS, Linux, IRIX) require root for this
call to succeed. I'm pretty sure this is an posix requirement.
>>This time I have tested the patch here. I don't know why such simple things
>>should be so complicated, because it is virtually impossible to guarantee
>>that it works correctly.
>>
>>However, I am fairly confident that this new code will solve (or at least
>>begin solving) the access problems we have been seeing when users run the Dir
>>and SD as less privileged users/groups.
>>
>>Feedback would be welcome.
>
>
> It doesn't quite work (on FreeBSD 4.9 at least). The problem is that the
> static pointer returned by getgrnam() is corrupted by the call to initgroups()
> and hence the call to setgid() sets the wrong group.
Same is true for 5.4, not sure about 6.x
At least this is documented in initgroups(3):
BUGS
The getgrouplist() function called by initgroups() uses the routines
based on getgrent(3). If the invoking program uses any of these rou-
tines, the group structure will be overwritten in the call to
initgroups().
> Maybe you want to use the variable gid? :-)
>
> Index: src/lib/bsys.c
> ===================================================================
> RCS file: /cvsroot/bacula/bacula/src/lib/bsys.c,v
> retrieving revision 1.54
> diff -u -r1.54 bsys.c
> --- src/lib/bsys.c 8 Jul 2006 07:57:45 -0000 1.54
> +++ src/lib/bsys.c 10 Jul 2006 17:00:00 -0000
> @@ -652,7 +652,7 @@
> } else {
> gid = passw->pw_gid;
> }
> - if (initgroups(passw->pw_name, passw->pw_gid)) {
> + if (initgroups(passw->pw_name, gid)) {
> berrno be;
> if (gname) {
> Emsg3(M_ERROR_TERM, 0, _("Could not initgroups for group=%s,
> userid=%s: ERR=%s\n"),
> @@ -663,7 +663,7 @@
> }
> }
> if (gname) {
> - if (setgid(group->gr_gid)) {
> + if (setgid(gid)) {
> berrno be;
> Emsg2(M_ERROR_TERM, 0, _("Could not set group=%s: ERR=%s\n"), gname,
> be.strerror());
>
>
> __Martin
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Bacula-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/bacula-devel
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
