summary refs log tree commit diff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2019-07-24 11:15:42 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2019-07-24 11:15:42 +0000
commit7c228abccd8fbb79c6aa41179069cac1abae8ac1 (patch)
treedfd9ea180799219f1357e8d4ce23602e6765e2ef
parent3ea6a4d085262d69379b4946b3e990dc0b613f65 (diff)
downloadnsss-7c228abccd8fbb79c6aa41179069cac1abae8ac1.tar.gz
nsss-7c228abccd8fbb79c6aa41179069cac1abae8ac1.tar.xz
nsss-7c228abccd8fbb79c6aa41179069cac1abae8ac1.zip
nsssd: always drop privileges to the client's
-rw-r--r--src/nsssd/nsssd_main.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/src/nsssd/nsssd_main.c b/src/nsssd/nsssd_main.c
index cc8a3f4..b26a74a 100644
--- a/src/nsssd/nsssd_main.c
+++ b/src/nsssd/nsssd_main.c
@@ -2,10 +2,13 @@
 
 #include <string.h>
 #include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
 
 #include <skalibs/posixishard.h>
 #include <skalibs/uint32.h>
 #include <skalibs/uint64.h>
+#include <skalibs/types.h>
 #include <skalibs/buffer.h>
 #include <skalibs/strerr2.h>
 #include <skalibs/tai.h>
@@ -382,7 +385,25 @@ static inline void do_spnam (void *a)
 
 int nsssd_main (char const *const *argv, char const *const *envp)
 {
-  void *a = nsssd_handle_init() ;
+  void *a ;
+
+ /* If root, drop privileges to the client's, because shadow */
+
+  if (!geteuid())
+  {                                                                   
+    uid_t uid ;                                                             
+    gid_t gid ;                                                         
+    char const *x = getenv("IPCREMOTEEGID") ;                               
+    if (!x) strerr_dienotset(100, "IPCREMOTEEGID") ;                       
+    if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, "IPCREMOTEEGID") ;      
+    if (setgid(gid) == -1) strerr_diefu2sys(111, "setgid to ", x) ;         
+    x = getenv("IPCREMOTEEUID") ;                                           
+    if (!x) strerr_dienotset(100, "IPCREMOTEEUID") ;                        
+    if (!uid0_scan(x, &uid)) strerr_dieinvalid(100, "IPCREMOTEEUID") ;      
+    if (setuid(uid) == -1) strerr_diefu2sys(111, "setuid to ", x) ;
+  }
+                                            
+  a = nsssd_handle_init() ;
   if (ndelay_on(0) < 0) strerr_diefu1sys(111, "set stdin non-blocking") ;
   tain_now_g() ;
   if (!nsssd_handle_start(a, argv, envp))