[nsd-users] nsd-3.2.2 and initgroups ?

Jarno Huuskonen Jarno.Huuskonen at uku.fi
Mon Aug 10 08:04:13 CEST 2009


Hi,

On Thu, Aug 06, Noa Resare wrote:
> I don't have access to any nonlinux boxes, but it seems like unbound  
> has fixed this very problem in a way that is at least somewhat more  
> portable:
> 
> More info at: http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=250

Something like that would probably be sufficient ?

-Jarno

> /noa
> 
> 6 aug 2009 kl. 15.24 skrev Matthijs Mekking:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Jarno,
> >
> > First of all, sorry for not replying the original message.
> >
> > The problem with initgroups is that it is only available if  
> > _BSD_SOURCE_
> > is defined. So, it is not very portable. I am not sure if there is a
> > easy portable fix that would also do the job...
> >
> > Best regards,
> >
> > Matthijs Mekking
> > NLnet Labs
> >
> > Jarno Huuskonen wrote:
> >> I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but  
> >> never
> >> received a reply.
> >>
> >> -----------------------------------
> >>
> >> I was testing nsd-3.2.2 and noticed that when dropping root
> >> privileges nsd doesn't call initgroups (or setgroups).
> >>
> >> On typical Linux distro (I'm testing with CentOS 5.3) this
> >> means that nsd retains extra groups
> >> (with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk), 
> >> 10(wheel)).
> >>
> >> Here's a small patch that I made:
> >> diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
> >> --- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
> >> +++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
> >> @@ -21,6 +21,7 @@
> >> #include <ctype.h>
> >> #include <errno.h>
> >> #include <fcntl.h>
> >> +#include <grp.h>
> >> #include <stddef.h>
> >> #include <stdio.h>
> >> #include <stdlib.h>
> >> @@ -533,7 +534,7 @@
> >>        }
> >>
> >>        /* Drop the permissions */
> >> -       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
> >> +       if (initgroups(nsd->username, nsd->gid) != 0 || setgid(nsd- 
> >> >gid) != 0 || setuid(nsd->uid) !=0) {
> >>                log_msg(LOG_ERR, "unable to drop user privileges: %s",
> >>                        strerror(errno));
> >>                pid_unlink(nsd->pidfile);
> >>
> >>
> >> Note: I haven't tested the patch (other than checking that
> >> nsd starts and drops the extra groups).
> >>
> >> -Jarno
> >>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iQEcBAEBAgAGBQJKetmYAAoJEA8yVCPsQCW5kEEH/A2vp1lpRyJ93hflYBFBFJMz
> > PZK4mzLlLgmUX3Zqe+c0ZE2Bk6CVtaoooHY1QG6uJraqBWY6fCXO8b23HgHO0zMu
> > e6y0i2fozuWGVFpXHSZp4/krzeqt8xNCnPWE72S/CUxsSGNxFYs3t4PRCnBi/VZI
> > HyImumCxa9MBpcsT05diPbK1LGoCfRTTZI6pqdlYQMecKTiqRCyHnqBJdVRPCQjI
> > lGnHDCa4SDOjkLVPOX6vBCJcN6PCNOpWVYTGwrxrHlFd4QtmCMITjXtB9i0Urs8m
> > Ngvkax+saSyiSB1OzVCr4G1iqni2uu3SZw6ZFg2XooL2ZESRwwmcIXmso/a3C9s=
> > =27iG
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at NLnetLabs.nl
> > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 


More information about the nsd-users mailing list