1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
From: Timo Teräs <timo.teras@iki.fi>
Fix setre[gu]id handling for musl. The libc calls work per POSIX definition
and change the process values (including all threads). Remove the per-thread
hacks. This fixes a race condition that created thread calls first setreuid()
causing the setgroups() call in the main thread to fail with -EPERM.
diff -ru fprobe-ulog-1.2.orig/src/fprobe-ulog.c fprobe-ulog-1.2/src/fprobe-ulog.c
--- fprobe-ulog-1.2.orig/src/fprobe-ulog.c 2015-06-01 08:48:25.858651393 -0300
+++ fprobe-ulog-1.2/src/fprobe-ulog.c 2015-06-01 08:49:07.645734248 -0300
@@ -622,18 +622,6 @@
return p;
}
-void setuser() {
- /*
- Workaround for clone()-based threads
- Try to change EUID independently of main thread
- */
- if (pw) {
- setgroups(0, NULL);
- setregid(pw->pw_gid, pw->pw_gid);
- setreuid(pw->pw_uid, pw->pw_uid);
- }
-}
-
void *emit_thread()
{
struct Flow *flow;
@@ -645,8 +633,6 @@
p = (void *) &emit_packet + netflow->HeaderSize;
timeout.tv_nsec = 0;
- setuser();
-
for (;;) {
pthread_mutex_lock(&emit_mutex);
while (!flows_emit) {
@@ -733,8 +719,6 @@
char logbuf[256];
#endif
- setuser();
-
timeout.tv_nsec = 0;
pthread_mutex_lock(&unpending_mutex);
@@ -780,8 +764,6 @@
struct Time now;
struct timespec timeout;
- setuser();
-
timeout.tv_nsec = 0;
pthread_mutex_lock(&scan_mutex);
@@ -876,8 +858,6 @@
char logbuf[256];
#endif
- setuser();
-
while (!killed) {
len = ipulog_read(ulog_handle, cap_buf, CAPTURE_SIZE, 1);
if (len <= 0) {
@@ -1386,6 +1366,21 @@
}
}
+ if (pw) {
+ if (setgroups(0, NULL)) {
+ my_log(LOG_CRIT, "setgroups(): %s", strerror(errno));
+ exit(1);
+ }
+ if (setregid(pw->pw_gid, pw->pw_gid)) {
+ my_log(LOG_CRIT, "setregid(%u): %s", pw->pw_gid, strerror(errno));
+ exit(1);
+ }
+ if (setreuid(pw->pw_uid, pw->pw_uid)) {
+ my_log(LOG_CRIT, "setreuid(%u): %s", pw->pw_uid, strerror(errno));
+ exit(1);
+ }
+ }
+
schedp.sched_priority = schedp.sched_priority - THREADS + 2;
pthread_attr_init(&tattr);
for (i = 0; i < THREADS - 1; i++) {
@@ -1404,21 +1399,6 @@
schedp.sched_priority++;
}
- if (pw) {
- if (setgroups(0, NULL)) {
- my_log(LOG_CRIT, "setgroups(): %s", strerror(errno));
- exit(1);
- }
- if (setregid(pw->pw_gid, pw->pw_gid)) {
- my_log(LOG_CRIT, "setregid(%u): %s", pw->pw_gid, strerror(errno));
- exit(1);
- }
- if (setreuid(pw->pw_uid, pw->pw_uid)) {
- my_log(LOG_CRIT, "setreuid(%u): %s", pw->pw_uid, strerror(errno));
- exit(1);
- }
- }
-
my_log(LOG_INFO, "pid: %d", pid);
my_log(LOG_INFO, "options: u=%u s=%u g=%u d=%u e=%u n=%u a=%s "
"M=%d b=%u m=%u q=%u B=%u r=%u t=%u:%u c=%s u=%s v=%u l=%u%s",
|
