[nsd-users] nsd-3.2.2 and initgroups ?

Noa Resare noa at resare.com
Thu Aug 6 13:32:55 UTC 2009


I don't have access to any nonlinux boxes, but it seems like unbound  
has fixed this very problem in a way that is at least somewhat more  
portable:

More info at: http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=250

/noa

6 aug 2009 kl. 15.24 skrev Matthijs Mekking:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Jarno,
>
> First of all, sorry for not replying the original message.
>
> The problem with initgroups is that it is only available if  
> _BSD_SOURCE_
> is defined. So, it is not very portable. I am not sure if there is a
> easy portable fix that would also do the job...
>
> Best regards,
>
> Matthijs Mekking
> NLnet Labs
>
> Jarno Huuskonen wrote:
>> I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but  
>> never
>> received a reply.
>>
>> -----------------------------------
>>
>> I was testing nsd-3.2.2 and noticed that when dropping root
>> privileges nsd doesn't call initgroups (or setgroups).
>>
>> On typical Linux distro (I'm testing with CentOS 5.3) this
>> means that nsd retains extra groups
>> (with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk), 
>> 10(wheel)).
>>
>> Here's a small patch that I made:
>> diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
>> --- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
>> +++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
>> @@ -21,6 +21,7 @@
>> #include <ctype.h>
>> #include <errno.h>
>> #include <fcntl.h>
>> +#include <grp.h>
>> #include <stddef.h>
>> #include <stdio.h>
>> #include <stdlib.h>
>> @@ -533,7 +534,7 @@
>>        }
>>
>>        /* Drop the permissions */
>> -       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
>> +       if (initgroups(nsd->username, nsd->gid) != 0 || setgid(nsd- 
>> >gid) != 0 || setuid(nsd->uid) !=0) {
>>                log_msg(LOG_ERR, "unable to drop user privileges: %s",
>>                        strerror(errno));
>>                pid_unlink(nsd->pidfile);
>>
>>
>> Note: I haven't tested the patch (other than checking that
>> nsd starts and drops the extra groups).
>>
>> -Jarno
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBAgAGBQJKetmYAAoJEA8yVCPsQCW5kEEH/A2vp1lpRyJ93hflYBFBFJMz
> PZK4mzLlLgmUX3Zqe+c0ZE2Bk6CVtaoooHY1QG6uJraqBWY6fCXO8b23HgHO0zMu
> e6y0i2fozuWGVFpXHSZp4/krzeqt8xNCnPWE72S/CUxsSGNxFYs3t4PRCnBi/VZI
> HyImumCxa9MBpcsT05diPbK1LGoCfRTTZI6pqdlYQMecKTiqRCyHnqBJdVRPCQjI
> lGnHDCa4SDOjkLVPOX6vBCJcN6PCNOpWVYTGwrxrHlFd4QtmCMITjXtB9i0Urs8m
> Ngvkax+saSyiSB1OzVCr4G1iqni2uu3SZw6ZFg2XooL2ZESRwwmcIXmso/a3C9s=
> =27iG
> -----END PGP SIGNATURE-----
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users




More information about the nsd-users mailing list