nsd users - Aug 2009 - nsd-3.2.2 and initgroups ?

I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but never
received a reply.

-----------------------------------

I was testing nsd-3.2.2 and noticed that when dropping root
privileges nsd doesn't call initgroups (or setgroups).

On typical Linux distro (I'm testing with CentOS 5.3) this
means that nsd retains extra groups
(with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)).

Here's a small patch that I made:
diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
--- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
+++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
@@ -21,6 +21,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -533,7 +534,7 @@
        }
 
        /* Drop the permissions */
-       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
+       if (initgroups(nsd->username, nsd->gid) != 0 ||
setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
                log_msg(LOG_ERR, "unable to drop user privileges: %s",
                        strerror(errno));
                pid_unlink(nsd->pidfile);


Note: I haven't tested the patch (other than checking that
nsd starts and drops the extra groups).

-Jarno

-- 
Jarno Huuskonen: Jarno.Huuskonen atsign uku.fi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jarno,

First of all, sorry for not replying the original message.

The problem with initgroups is that it is only available if _BSD_SOURCE_
is defined. So, it is not very portable. I am not sure if there is a
easy portable fix that would also do the job...

Best regards,

Matthijs Mekking
NLnet Labs

Jarno Huuskonen wrote:
> I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but never
> received a reply.
> 
> -----------------------------------
> 
> I was testing nsd-3.2.2 and noticed that when dropping root
> privileges nsd doesn't call initgroups (or setgroups).
> 
> On typical Linux distro (I'm testing with CentOS 5.3) this
> means that nsd retains extra groups
> (with CentOS
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)).
> 
> Here's a small patch that I made:
> diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
> --- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
> +++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
> @@ -21,6 +21,7 @@
>  #include <ctype.h>
>  #include <errno.h>
>  #include <fcntl.h>
> +#include <grp.h>
>  #include <stddef.h>
>  #include <stdio.h>
>  #include <stdlib.h>
> @@ -533,7 +534,7 @@
>         }
>  
>         /* Drop the permissions */
> -       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
> +       if (initgroups(nsd->username, nsd->gid) != 0 ||
setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
>                 log_msg(LOG_ERR, "unable to drop user privileges:
%s",
>                         strerror(errno));
>                 pid_unlink(nsd->pidfile);
> 
> 
> Note: I haven't tested the patch (other than checking that
> nsd starts and drops the extra groups).
> 
> -Jarno
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKetmYAAoJEA8yVCPsQCW5kEEH/A2vp1lpRyJ93hflYBFBFJMz
PZK4mzLlLgmUX3Zqe+c0ZE2Bk6CVtaoooHY1QG6uJraqBWY6fCXO8b23HgHO0zMu
e6y0i2fozuWGVFpXHSZp4/krzeqt8xNCnPWE72S/CUxsSGNxFYs3t4PRCnBi/VZI
HyImumCxa9MBpcsT05diPbK1LGoCfRTTZI6pqdlYQMecKTiqRCyHnqBJdVRPCQjI
lGnHDCa4SDOjkLVPOX6vBCJcN6PCNOpWVYTGwrxrHlFd4QtmCMITjXtB9i0Urs8m
Ngvkax+saSyiSB1OzVCr4G1iqni2uu3SZw6ZFg2XooL2ZESRwwmcIXmso/a3C9s=27iG
-----END PGP SIGNATURE-----