[4.0] 3599490 One may have gcc or other things restricted, so that e.g. only a specific user and/or group may execute it. Varnish never inherited the groups of the user that has been specified by "-u". initgroups() will make sure that varnish gets all supplementary groups.
Poul-Henning Kamp
phk at FreeBSD.org
Tue Jun 24 11:31:37 CEST 2014
commit 3599490aed5524ea19a63cf488a60dc8ddb59365
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Tue Apr 22 08:51:58 2014 +0000
One may have gcc or other things restricted, so that e.g. only a
specific user and/or group may execute it. Varnish never inherited
the groups of the user that has been specified by "-u". initgroups()
will make sure that varnish gets all supplementary groups.
Submitted by: Christian Ruppert
Fixes #1482
diff --git a/bin/varnishd/mgt/mgt_sandbox.c b/bin/varnishd/mgt/mgt_sandbox.c
index 069d660..83a2aeb 100644
--- a/bin/varnishd/mgt/mgt_sandbox.c
+++ b/bin/varnishd/mgt/mgt_sandbox.c
@@ -48,6 +48,7 @@
#include <sys/prctl.h>
#endif
+#include <grp.h>
#include <stdio.h>
#include <syslog.h>
#include <unistd.h>
@@ -64,6 +65,7 @@ mgt_sandbox_unix(enum sandbox_e who)
(void)who;
if (geteuid() == 0) {
XXXAZ(setgid(mgt_param.gid));
+ XXXAZ(initgroups(mgt_param.user, mgt_param.gid));
XXXAZ(setuid(mgt_param.uid));
} else {
REPORT0(LOG_INFO, "Not running as root, no priv-sep");
More information about the varnish-commit
mailing list