luo980/libuv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

unix: call setgoups before calling setuid/setgid

Browse Source 
Partial fix for #1093
This commit is contained in:
Saúl Ibarra Corretgé 2014-02-10 17:41:51 +01:00
parent 3901ec4976
commit 66ab38918c
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/unix/process.c
View File

@ -330,6 +330,17 @@ static void uv__process_child_init(const uv_process_options_t* options,
_exit(127); _exit(127);
} }
if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
/* When dropping privileges from root, the `setgroups` call will
* remove any extraneous groups. If we don't call this, then
* even though our uid has dropped, we may still have groups
* that enable us to do super-user things. This will fail if we
* aren't root, so don't bother checking the return value, this
* is just done as an optimistic privilege dropping function.
*/
SAVE_ERRNO(setgroups(0, NULL));
}
if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) { if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) {
uv__write_int(error_fd, -errno); uv__write_int(error_fd, -errno);
perror("setgid()"); perror("setgid()");