thr3ads.net - samba - [Samba] [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall [Feb 2017]

If this information is useful, please help other people find it:
Share via:

Jeff Layton

2017-Feb-13 14:00 UTC

[Samba] [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall

Currently, we leave the group ID alone, but now that we're looking at
KRB5CCNAME, we need to be a little more careful with credentials. After
we get the uid, do a getpwuid and grab the default gid for the user.
Then use setgid to set it before calling setuid.

Signed-off-by: Jeff Layton <jlayton at samba.org>
---
 cifs.upcall.c | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index ee3449d4555d..3328bbdd34ca 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -47,6 +47,8 @@
 #include <netdb.h>
 #include <arpa/inet.h>
 #include <ctype.h>
+#include <pwd.h>
+#include <grp.h>
 
 #include "replace.h"
 #include "data_blob.h"
@@ -818,6 +820,7 @@ int main(const int argc, char *const argv[])
 	char *keytab_name = NULL;
 	char *env_cachename = NULL;
 	krb5_ccache ccache = NULL;
+	struct passwd *pw;
 
 	hostbuf[0] = '\0';
 	memset(&arg, 0, sizeof(arg));
@@ -924,20 +927,54 @@ int main(const int argc, char *const argv[])
 	}
 
 	/*
+	 * The kernel doesn't pass down the gid, so we resort here to scraping
+	 * one out of /etc/passwd (or the equivalent). Note that this might
+	 * not reflect the actual gid of the process that initiated the
+	 * upcall, but it's safer than relying on the current creds.
+	 */
+	pw = getpwuid(uid);
+	if (!pw) {
+		syslog(LOG_ERR, "Unable to find pw entry for uid %d: %s\n",
+			uid, strerror(errno));
+		rc = 1;
+		goto out;
+	}
+
+	/*
 	 * Must do this before setuid, as we need ptrace perms to look at
 	 * environ file.
 	 */
 	env_cachename = get_cachename_from_process_env(env_probe ? arg.pid : 0);
 
+	/*
+	 * The kernel should send down a zero-length grouplist already, but
+	 * just to be on the safe side...
+	 */
+	rc = setgroups(0, NULL);
+	if (rc == -1) {
+		syslog(LOG_ERR, "setgroups: %s", strerror(errno));
+		rc = 1;
+		goto out;
+	}
+
+	rc = setgid(pw->pw_gid);
+	if (rc == -1) {
+		syslog(LOG_ERR, "setgid: %s", strerror(errno));
+		rc = 1;
+		goto out;
+	}
+
 	rc = setuid(uid);
 	if (rc == -1) {
 		syslog(LOG_ERR, "setuid: %s", strerror(errno));
+		rc = 1;
 		goto out;
 	}
 
 	rc = krb5_init_context(&context);
 	if (rc) {
 		syslog(LOG_ERR, "unable to init krb5 context: %ld", rc);
+		rc = 1;
 		goto out;
 	}
 
-- 
2.9.3

Reasonably Related Threads

Search for more possibly parallel threads

samba - Feb 2017 - [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall

[Samba] [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall

Reasonably Related Threads

Wisdom of the Ancients