[packages/snmptt] Fixed privileges dropping for snmptt daemon

jajcus jajcus at pld-linux.org
Sat Dec 1 15:46:12 CET 2012 

commit 014d0bb2efb33da3763f4eac12cd641e1af90cd7
Author: Jacek Konieczny <jajcus at jajcus.net>
Date:   Sat Dec 1 15:15:10 2012 +0100

    Fixed privileges dropping for snmptt daemon
    
    When run in daemon mode with 'daemon_uid' set snmptt
    would change it effective UID only, still keeping root group and other
    UIDS. At the same time it would not switch to the 'snmptt' user groups,
    so it would not be able to access the spool directory.

 snmptt-privileges.patch | 116 ++++++++++++++++++++++++++++++++++++++++++++++++
 snmptt.spec             |   2 +
 2 files changed, 118 insertions(+)
---
diff --git a/snmptt.spec b/snmptt.spec
index 4b303ae..9f5dc02 100644
--- a/snmptt.spec
+++ b/snmptt.spec
@@ -13,6 +13,7 @@ Source0:	http://dl.sourceforge.net/snmptt/%{name}_%{version}.tgz
 # Source0-md5:	ee8d8206d3e0d860fee126e09d8eb207
 Source1:	%{name}.init
 Source2:	%{name}.service
+Patch0:		%{name}-privileges.patch
 URL:		http://www.snmptt.org/
 BuildRequires:	rpmbuild(macros) >= 1.644
 BuildRequires:	rpm-perlprov
@@ -62,6 +63,7 @@ Skrypt init dla SNMPTT.
 
 %prep
 %setup -q -n %{name}_%{version}
+%patch0 -p1
 
 %install
 rm -rf $RPM_BUILD_ROOT
diff --git a/snmptt-privileges.patch b/snmptt-privileges.patch
new file mode 100644
index 0000000..b0cd42c
--- /dev/null
+++ b/snmptt-privileges.patch
@@ -0,0 +1,116 @@
+diff -dur snmptt_1.3.orig/snmptt snmptt_1.3/snmptt
+--- snmptt_1.3.orig/snmptt	2009-11-15 14:31:40.000000000 +0100
++++ snmptt_1.3/snmptt	2012-12-01 15:11:09.906454416 +0100
+@@ -197,6 +197,8 @@
+ # DaemonMode
+ my $daemon_fork;
+ my $daemon_uid;
++my $daemon_uid_name;
++my $daemon_gid;
+ my $pid_file;
+ my $spool_directory;
+ my $sleep;
+@@ -801,15 +803,13 @@
+   # Change user if not Windows, and daemon_uid ini parameter not blank
+   if ($^O ne "MSWin32" && $daemon_uid ne '')
+   {
+-    my $daemon_uid_name = '';
+-
+     if ($daemon_uid =~ /\D/)
+     {
+       # no numbers found, so assume it's a textual name
+ 
+       $daemon_uid_name = $daemon_uid;
+ 
+-      $daemon_uid = getpwnam($daemon_uid_name);
++      ($daemon_uid, $daemon_gid) = (getpwnam($daemon_uid_name))[2,3];
+       if (!defined($daemon_uid))
+       {        
+         warn("Could not convert user id \'$daemon_uid_name\' to a numeric UID\n");
+@@ -822,39 +822,42 @@
+         }
+       }
+     }
++    else {
++      ($daemon_uid_name, $daemon_gid) = (getpwuid($daemon_uid))[0,3];
++      if (!defined($daemon_gid))
++      {
++        warn("Could not find group id for user id \'$daemon_uid\'\n");
++	undef $daemon_uid;
++      }
++    }
+ 
+     # Change current uid to new_uid
+     if (defined($daemon_uid))
+     {
+-      if ($daemon_uid_name ne '')
+-      {
+-        if ($syslog_system_enable == 1) {
+-          syslog_system("Changing to UID: $daemon_uid_name \($daemon_uid\)");
+-        }
+-        if ($log_system_enable == 1) {
+-          log_system("Changing to UID: $daemon_uid_name \($daemon_uid\)");
+-        }
+-
+-        if ($DEBUGGING >= 1)
+-        {
+-          print "Changing to UID: $daemon_uid_name \($daemon_uid\)\n";
+-        }
++      # Find all the groups the user is a member of
++      my @daemon_groups;
++      if (defined($daemon_uid_name)) {
++	      while (my ($name, $comment, $ggid, $mstr) = getgrent()) {
++		  my %membership = map { $_ => 1 } split(/\s/, $mstr);
++		  if(exists $membership{$daemon_uid_name}) {
++		      push(@daemon_groups, $ggid) if $ggid ne 0;
++		  }
++	      }
+       }
+-      else
+-      {
+-        if ($syslog_system_enable == 1) {
+-          syslog_system("Changing to UID: $daemon_uid");
+-        }
+-        if ($log_system_enable == 1) {
+-          log_system("Changing to UID: $daemon_uid");
+-        }
+-
+-        if ($DEBUGGING >= 1)
+-        {
+-          print "Changing to UID: $daemon_uid\n";
+-        }
++      my %groupHash = map { $_ => 1 } ($daemon_gid, @daemon_groups);
++      my $newgid ="$daemon_gid ".join(" ", sort { $a <=> $b } (keys %groupHash));
++ 
++      if ($syslog_system_enable == 1) {
++	syslog_system("Changing to UID: $daemon_uid_name \($daemon_uid\), GID: $newgid");
++      }
++      if ($log_system_enable == 1) {
++	log_system("Changing to UID: $daemon_uid_name \($daemon_uid\), GID: $newgid");
+       }
+ 
++      if ($DEBUGGING >= 1)
++      {
++	print "Changing to UID: $daemon_uid_name \($daemon_uid\) GIF: $newgid\n";
++      }
+ 
+       if ($DEBUGGING >= 1) {
+         print DEBUGFILE "Closing debug file $DEBUGGING_FILE\n";
+@@ -862,7 +865,16 @@
+       # Close debug file (if it is open) before changing users and re-open after
+       close(DEBUGFILE);
+ 
+-      $> = $daemon_uid;
++      ($() = split /\s/, $newgid;
++      $) = $newgid;
++      $> = $< = $daemon_uid;
++      
++      # repeat to drop saved uid/gid too
++      ($() = split /\s/, $newgid;
++      $) = $newgid;
++      $> = $< = $daemon_uid;
++
++      die "Could not drop privileges" if ($< eq 0 or $> eq 0 or $( eq 0 or $) eq 0);
+ 
+       $debug_file_open_error = 1;
+       # Re-open debug file (if needed) as the new user
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/snmptt.git/commitdiff/7594716d60c9e569530dd2d1428eba2230e5ad6f

More information about the pld-cvs-commit mailing list