diff options
Diffstat (limited to 'src/libstrongswan/utils')
| -rw-r--r-- | src/libstrongswan/utils/capabilities.c | 38 | ||||
| -rw-r--r-- | src/libstrongswan/utils/chunk.h | 5 | ||||
| -rw-r--r-- | src/libstrongswan/utils/utils.c | 10 | ||||
| -rw-r--r-- | src/libstrongswan/utils/utils.h | 5 |
4 files changed, 56 insertions, 2 deletions
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c index c36a76efe..44a14496c 100644 --- a/src/libstrongswan/utils/capabilities.c +++ b/src/libstrongswan/utils/capabilities.c @@ -29,7 +29,9 @@ #include <utils/debug.h> -#if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R) +#if !defined(HAVE_GETPWNAM_R) || \ + !defined(HAVE_GETGRNAM_R) || \ + !defined(HAVE_GETPWUID_R) # include <threading/mutex.h> # define EMULATE_R_FUNCS #endif @@ -188,6 +190,34 @@ METHOD(capabilities_t, resolve_gid, bool, return FALSE; } +/** + * Initialize supplementary groups for unprivileged user + */ +static bool init_supplementary_groups(private_capabilities_t *this) +{ + struct passwd *pwp; + int res = -1; + +#ifdef HAVE_GETPWUID_R + struct passwd pwd; + char buf[1024]; + + if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp) + { + res = initgroups(pwp->pw_name, this->gid); + } +#else /* HAVE_GETPWUID_R */ + this->mutex->lock(this->mutex); + pwp = getpwuid(this->uid); + if (pwp) + { + res = initgroups(pwp->pw_name, this->gid); + } + this->mutex->unlock(this->mutex); +#endif /* HAVE_GETPWUID_R */ + return res == 0; +} + METHOD(capabilities_t, drop, bool, private_capabilities_t *this) { @@ -195,6 +225,12 @@ METHOD(capabilities_t, drop, bool, prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); #endif + if (!init_supplementary_groups(this)) + { + DBG1(DBG_LIB, "initializing supplementary groups for %u failed", + this->uid); + return FALSE; + } if (this->gid && setgid(this->gid) != 0) { DBG1(DBG_LIB, "change to unprivileged group %u failed: %s", diff --git a/src/libstrongswan/utils/chunk.h b/src/libstrongswan/utils/chunk.h index 67848eec1..bc14b7394 100644 --- a/src/libstrongswan/utils/chunk.h +++ b/src/libstrongswan/utils/chunk.h @@ -191,6 +191,11 @@ static inline void chunk_clear(chunk_t *chunk) #define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing)) /** + * Initialize a chunk from a static string, not containing 0-terminator + */ +#define chunk_from_str(str) chunk_create(str, strlen(str)) + +/** * Allocate a chunk on the heap */ #define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);}) diff --git a/src/libstrongswan/utils/utils.c b/src/libstrongswan/utils/utils.c index bf0224c5f..0850df9bc 100644 --- a/src/libstrongswan/utils/utils.c +++ b/src/libstrongswan/utils/utils.c @@ -387,6 +387,14 @@ status_t return_failed() } /** + * returns SUCCESS + */ +status_t return_success() +{ + return SUCCESS; +} + +/** * nop operation */ void nop() @@ -460,7 +468,7 @@ int time_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, bool utc = *((bool*)(args[1]));; struct tm t; - if (time == UNDEFINED_TIME) + if (*time == UNDEFINED_TIME) { return print_in_hook(data, "--- -- --:--:--%s----", utc ? " UTC " : " "); diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h index 7b1beb93a..6c24a261f 100644 --- a/src/libstrongswan/utils/utils.h +++ b/src/libstrongswan/utils/utils.h @@ -496,6 +496,11 @@ bool return_false(); status_t return_failed(); /** + * returns SUCCESS + */ +status_t return_success(); + +/** * Write a 16-bit host order value in network order to an unaligned address. * * @param host host order 16-bit value |