Projects
Kolab:3.4
pykolab
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 68
View file
pykolab-0.6.12-dont-drop-privileges-too-early.patch
Added
@@ -0,0 +1,189 @@ +commit fa5709b1a24432a0015f8ba48896f6615077dc87 +Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> +Date: Sat Feb 15 23:17:43 2014 +0100 + + First ensure our socket directory is writeable, then drop privileges + +diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py +index 69accce..d952bdb 100644 +--- a/saslauthd/__init__.py ++++ b/saslauthd/__init__.py +@@ -108,78 +108,9 @@ class SASLAuthDaemon(object): + + exitcode = 0 + +- try: +- try: +- (ruid, euid, suid) = os.getresuid() +- (rgid, egid, sgid) = os.getresgid() +- except AttributeError, errmsg: +- ruid = os.getuid() +- rgid = os.getgid() +- +- if ruid == 0: +- # Means we can setreuid() / setregid() / setgroups() +- if rgid == 0: +- # Get group entry details +- try: +- ( +- group_name, +- group_password, +- group_gid, +- group_members +- ) = grp.getgrnam(conf.process_groupname) +- +- except KeyError: +- print >> sys.stderr, _("Group %s does not exist") % ( +- conf.process_groupname +- ) +- +- sys.exit(1) +- +- # Set real and effective group if not the same as current. +- if not group_gid == rgid: +- log.debug( +- _("Switching real and effective group id to %d") % ( +- group_gid +- ), +- level=8 +- ) +- +- os.setregid(group_gid, group_gid) +- +- if ruid == 0: +- # Means we haven't switched yet. +- try: +- ( +- user_name, +- user_password, +- user_uid, +- user_gid, +- user_gecos, +- user_homedir, +- user_shell +- ) = pwd.getpwnam(conf.process_username) +- +- except KeyError: +- print >> sys.stderr, _("User %s does not exist") % ( +- conf.process_username +- ) +- +- sys.exit(1) ++ self._ensure_socket_dir() + +- +- # Set real and effective user if not the same as current. +- if not user_uid == ruid: +- log.debug( +- _("Switching real and effective user id to %d") % ( +- user_uid +- ), +- level=8 +- ) +- +- os.setreuid(user_uid, user_uid) +- +- except: +- log.error(_("Could not change real and effective uid and/or gid")) ++ self._drop_privileges() + + try: + pid = 1 +@@ -228,12 +159,6 @@ class SASLAuthDaemon(object): + + s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + +- utils.ensure_directory( +- '/var/run/saslauthd/', +- conf.process_username, +- conf.process_groupname +- ) +- + # TODO: The saslauthd socket path could be a setting. + try: + os.remove('/var/run/saslauthd/mux') +@@ -334,3 +259,84 @@ class SASLAuthDaemon(object): + fp = open(conf.pidfile,'w') + fp.write("%d\n" % (pid)) + fp.close() ++ ++ def _ensure_socket_dir(self): ++ utils.ensure_directory( ++ '/var/run/saslauthd/', ++ conf.process_username, ++ conf.process_groupname ++ ) ++ ++ def _drop_privileges(self): ++ try: ++ try: ++ (ruid, euid, suid) = os.getresuid() ++ (rgid, egid, sgid) = os.getresgid() ++ except AttributeError, errmsg: ++ ruid = os.getuid() ++ rgid = os.getgid() ++ ++ if ruid == 0: ++ # Means we can setreuid() / setregid() / setgroups() ++ if rgid == 0: ++ # Get group entry details ++ try: ++ ( ++ group_name, ++ group_password, ++ group_gid, ++ group_members ++ ) = grp.getgrnam(conf.process_groupname) ++ ++ except KeyError: ++ print >> sys.stderr, _("Group %s does not exist") % ( ++ conf.process_groupname ++ ) ++ ++ sys.exit(1) ++ ++ # Set real and effective group if not the same as current. ++ if not group_gid == rgid: ++ log.debug( ++ _("Switching real and effective group id to %d") % ( ++ group_gid ++ ), ++ level=8 ++ ) ++ ++ os.setregid(group_gid, group_gid) ++ ++ if ruid == 0: ++ # Means we haven't switched yet. ++ try: ++ ( ++ user_name, ++ user_password, ++ user_uid, ++ user_gid, ++ user_gecos, ++ user_homedir, ++ user_shell ++ ) = pwd.getpwnam(conf.process_username) ++ ++ except KeyError: ++ print >> sys.stderr, _("User %s does not exist") % ( ++ conf.process_username ++ ) ++ ++ sys.exit(1) ++ ++ ++ # Set real and effective user if not the same as current. ++ if not user_uid == ruid: ++ log.debug( ++ _("Switching real and effective user id to %d") % ( ++ user_uid ++ ), ++ level=8 ++ ) ++ ++ os.setreuid(user_uid, user_uid) ++ ++ except: ++ log.error(_("Could not change real and effective uid and/or gid"))
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.