[prev in list] [next in list] [prev in thread] [next in thread]
List: spread-users
Subject: [Spread-users] setuid/chroot doesn't work in Mac OS X
From: Mike Laster <mike () marketocracy ! com>
Date: 2002-09-26 22:02:04
[Download RAW message or body]
The default implementation doesn't seem to properly setuid/chroot under
OS X.
I found that this fix works:
*** spread.c 2002/08/07 15:56:43 1.1
--- spread.c 2002/09/26 21:57:36
***************
*** 167,173 ****
|| (pwd = getpwnam(SP_USER)) == NULL
|| chdir(SP_RUNTIME_DIR) < 0
|| chroot(SP_RUNTIME_DIR) < 0
! || setgroups(0, 0) < 0
|| setgid(grp->gr_gid) < 0
|| setuid(pwd->pw_uid) < 0)
{
--- 167,173 ----
|| (pwd = getpwnam(SP_USER)) == NULL
|| chdir(SP_RUNTIME_DIR) < 0
|| chroot(SP_RUNTIME_DIR) < 0
! || setgroups(1, &grp->gr_gid) < 0
|| setgid(grp->gr_gid) < 0
|| setuid(pwd->pw_uid) < 0)
{
Apparently the BSD flavor of setgroups doesn't like (0,0) parameters,
it dies with an errno 22 (invalid argument)
but if I switch it to setgroups(1, &grp->gr_gid), it is happy.
This should be just as secure. I have mine configured to run as
nobody/nobody, so this setgroups() should set
the group membership to the 'nobody' group. Are there any potential
security holes in this patch that I'm not
seeing?
_______________________________________________
Spread-users mailing list
Spread-users@lists.spread.org
http://lists.spread.org/mailman/listinfo/spread-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic