[nsd-users] nsd-3.2.2 and initgroups ?

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Aug 6 15:24:42 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jarno,

First of all, sorry for not replying the original message.

The problem with initgroups is that it is only available if _BSD_SOURCE_
is defined. So, it is not very portable. I am not sure if there is a
easy portable fix that would also do the job...

Best regards,

Matthijs Mekking
NLnet Labs

Jarno Huuskonen wrote:
> I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but never
> received a reply.
> 
> -----------------------------------
> 
> I was testing nsd-3.2.2 and noticed that when dropping root
> privileges nsd doesn't call initgroups (or setgroups).
> 
> On typical Linux distro (I'm testing with CentOS 5.3) this
> means that nsd retains extra groups
> (with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)).
> 
> Here's a small patch that I made:
> diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
> --- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
> +++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
> @@ -21,6 +21,7 @@
>  #include <ctype.h>
>  #include <errno.h>
>  #include <fcntl.h>
> +#include <grp.h>
>  #include <stddef.h>
>  #include <stdio.h>
>  #include <stdlib.h>
> @@ -533,7 +534,7 @@
>         }
>  
>         /* Drop the permissions */
> -       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
> +       if (initgroups(nsd->username, nsd->gid) != 0 || setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
>                 log_msg(LOG_ERR, "unable to drop user privileges: %s",
>                         strerror(errno));
>                 pid_unlink(nsd->pidfile);
> 
> 
> Note: I haven't tested the patch (other than checking that
> nsd starts and drops the extra groups).
> 
> -Jarno
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKetmYAAoJEA8yVCPsQCW5kEEH/A2vp1lpRyJ93hflYBFBFJMz
PZK4mzLlLgmUX3Zqe+c0ZE2Bk6CVtaoooHY1QG6uJraqBWY6fCXO8b23HgHO0zMu
e6y0i2fozuWGVFpXHSZp4/krzeqt8xNCnPWE72S/CUxsSGNxFYs3t4PRCnBi/VZI
HyImumCxa9MBpcsT05diPbK1LGoCfRTTZI6pqdlYQMecKTiqRCyHnqBJdVRPCQjI
lGnHDCa4SDOjkLVPOX6vBCJcN6PCNOpWVYTGwrxrHlFd4QtmCMITjXtB9i0Urs8m
Ngvkax+saSyiSB1OzVCr4G1iqni2uu3SZw6ZFg2XooL2ZESRwwmcIXmso/a3C9s=
=27iG
-----END PGP SIGNATURE-----


More information about the nsd-users mailing list