forks/tftp-hpa-google
1
0
Fork 0
forked from mirrors/tftp-hpa-google
Code Pull requests Releases 1 Activity

tftpd: call setgroups() before initgroups()

Browse source 
Unconditionally call setgroups() before calling
initgroups(). That way if initgroups() fails for some reason (e.g. it
is unable to access /etc/groups or the equivalent) then at least the
group list will be empty.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
This commit is contained in:
H. Peter Anvin 2024-05-29 17:49:21 -07:00
parent b9f2335e88
commit 416046e2ad
1 changed files with 7 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

15
tftpd/tftpd.c
View file

@ -980,22 +980,19 @@ int main(int argc, char **argv)
/etc/group still need to be accessible at this point. /etc/group still need to be accessible at this point.
If we get EPERM, this is already a restricted process, e.g. If we get EPERM, this is already a restricted process, e.g.
using user namespaces on Linux. */ using user namespaces on Linux. */
setrv = -1;
die = 0; die = 0;
#ifdef HAVE_INITGROUPS
setrv = initgroups(user, pw->pw_gid);
if (setrv && errno != EPERM) {
syslog(LOG_ERR, "cannot set groups for user %s", user);
die = EX_OSERR;
}
#endif
#ifdef HAVE_SETGROUPS #ifdef HAVE_SETGROUPS
if (setrv) {
setrv = setgroups(0, NULL); setrv = setgroups(0, NULL);
if (setrv && errno != EPERM) { if (setrv && errno != EPERM) {
syslog(LOG_ERR, "cannot clear group list"); syslog(LOG_ERR, "cannot clear group list");
die = EX_OSERR; die = EX_OSERR;
} }
#endif
#ifdef HAVE_INITGROUPS
setrv = initgroups(user, pw->pw_gid);
if (setrv && errno != EPERM) {
syslog(LOG_ERR, "cannot set groups for user %s", user);
die = EX_OSERR;
} }
#endif #endif
if (die) if (die)