File sudo-1.8.10p3-user_groups.patch of Package sudo.18794
# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1466612489 21600
# Node ID 3bf16489800c6908af6600e0adb1160dc0e05ec4
# Parent 40cbfa5deeb114771e43842173603ac0d1509974
Set user groups in exec_setup() if they were not already set by
policy_init_session(). Bug #749
Index: sudo-1.8.10p3/src/sudo.c
===================================================================
--- sudo-1.8.10p3.orig/src/sudo.c
+++ sudo-1.8.10p3/src/sudo.c
@@ -536,6 +536,7 @@ command_info_to_details(char * const inf
memset(details, 0, sizeof(*details));
details->closefrom = -1;
+ details->flags = CD_SET_GROUPS;
TAILQ_INIT(&details->preserved_fds);
#define SET_STRING(s, n) \
@@ -844,6 +845,39 @@ restore_nproc(void)
#endif /* __linux__ */
}
+static bool
+set_user_groups(struct command_details *details)
+{
+ bool rval = false;
+ debug_decl(set_user_groups, SUDO_DEBUG_EXEC)
+
+ if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
+ if (details->ngroups >= 0) {
+ if (sudo_setgroups(details->ngroups, details->groups) < 0) {
+ warning(U_("unable to set supplementary group IDs"));
+ goto done;
+ }
+ }
+ }
+#ifdef HAVE_SETEUID
+ if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
+ warning(U_("unable to set effective gid to runas gid %u"),
+ (unsigned int)details->egid);
+ goto done;
+ }
+#endif
+ if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
+ warning(U_("unable to set gid to runas gid %u"),
+ (unsigned int)details->gid);
+ goto done;
+ }
+ rval = true;
+
+done:
+ CLR(details->flags, CD_SET_GROUPS);
+ debug_return_bool(rval);
+}
+
/*
* Setup the execution environment immediately prior to the call to execve().
* Group setup is performed by policy_init_session(), called earlier.
@@ -922,6 +956,12 @@ exec_setup(struct command_details *detai
#endif /* HAVE_LOGIN_CAP_H */
}
+ if (ISSET(details->flags, CD_SET_GROUPS)) {
+ /* set_user_groups() prints error message on failure. */
+ if (!set_user_groups(details))
+ goto done;
+ }
+
if (ISSET(details->flags, CD_SET_PRIORITY)) {
if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
warning(U_("unable to set process priority"));
@@ -1143,28 +1183,10 @@ policy_init_session(struct command_detai
* as part of the session setup. This allows for dynamic
* groups to be set via pam_group(8) in pam_setcred(3).
*/
- if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
- if (details->ngroups >= 0) {
- if (sudo_setgroups(details->ngroups, details->groups) < 0) {
- warning(U_("unable to set supplementary group IDs"));
- rval = -1;
- goto done;
- }
- }
- }
-#ifdef HAVE_SETEUID
- if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
- warning(U_("unable to set effective gid to runas gid %u"),
- (unsigned int)details->egid);
- rval = -1;
- goto done;
- }
-#endif
- if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
- warning(U_("unable to set gid to runas gid %u"),
- (unsigned int)details->gid);
- rval = -1;
- goto done;
+ if (ISSET(details->flags, CD_SET_GROUPS)) {
+ /* set_user_groups() prints error message on failure. */
+ if (!set_user_groups(details))
+ goto done;
}
if (policy_plugin.u.policy->init_session) {
Index: sudo-1.8.10p3/src/sudo.h
===================================================================
--- sudo-1.8.10p3.orig/src/sudo.h
+++ sudo-1.8.10p3/src/sudo.h
@@ -122,6 +122,7 @@ struct user_details {
#define CD_USE_PTY 0x1000
#define CD_SET_UTMP 0x2000
#define CD_EXEC_BG 0x4000
+#define CD_SET_GROUPS 0x40000
struct preserved_fd {
TAILQ_ENTRY(preserved_fd) entries;
