Forum: Cfengine Help
Subject: Re: can not execute a user-only and non-root executable
Author: santa
Link to topic: https://cfengine.com/forum/read.php?3,21010,21053#msg-21053
>From my point of view, cf-agent launched as root should be able to execute any
>script/binary which has the executable flag.
I've traced what happens : in src/unix.c of cfengine 3.1.4
function int Unix_IsExecutable(char *file)
=>
if (getuid() == sb.st_uid) => same uid between cf-agent owner and file
owner
...
else if (getgid() == sb.st_gid) => same uid between cf-agent owner and
file owner
{
...
if (sb.st_mode & 0010) => I think: exec flag set on group
{
return true;
}
}
else
if (sb.st_mode & 0001) => I think: exec flag set on other
{
return true;
}
if ((n = getgroups(NGROUPS,grps)) > 0)
{
for (i = 0; i < n; i++)
{
if (grps == sb.st_gid) => I think: loop on supplementary
groups of the user that launch cf-agent
{
if (sb.st_mode & 0010) => I think: exec flag set on group
{
return true;
}
}
}
}
}
return false; => I think: no right to execute cf3 command if the owner
of the file to exec!=user
that launched cf-agent + no X right on group and other
}
Why there's no exception for root like :
if (getuid() == 0) {return true;}
before :
if (getuid() == sb.st_uid)
?
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
