diff options
| author | Anna (navi) Figueiredo Gomes <navi@vlhl.dev> | 2025-11-19 19:20:54 +0100 |
|---|---|---|
| committer | Anna (navi) Figueiredo Gomes <navi@vlhl.dev> | 2025-11-19 19:39:47 +0100 |
| commit | 500a52218dc71386ed2771b5889d4890cec3228f (patch) | |
| tree | c6a8f39c5dc4c429a6dca2e9b0eeba8c423c2de4 /src/supervise-daemon | |
| parent | 6e6afa1b5056cc8ae7e40c4a3f58bb6868eda821 (diff) | |
*-daemon: always call setgroups, defaulting to count = 0origin/setgroups-zero
services started by init don't get any supplementary groups, but anything
started from a shell would inherit the groups, causing inconsistent
behaviour
we can either clear all groups, or always initalize root's groups. since
other init systems does not initialize anything, including us at boot,
let's just always clear them unconditionally
Diffstat (limited to 'src/supervise-daemon')
| -rw-r--r-- | src/supervise-daemon/supervise-daemon.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/supervise-daemon/supervise-daemon.c b/src/supervise-daemon/supervise-daemon.c index a1e87083..f1235f3b 100644 --- a/src/supervise-daemon/supervise-daemon.c +++ b/src/supervise-daemon/supervise-daemon.c @@ -384,7 +384,7 @@ RC_NORETURN static void child_process(char *exec, char **argv) char start_time_string[20]; FILE *fp; gid_t group_buf[32], *group_list = group_buf; - int group_count = ARRAY_SIZE(group_buf); + int group_count = 0; #ifdef HAVE_PAM pam_handle_t *pamh = NULL; @@ -445,10 +445,14 @@ RC_NORETURN static void child_process(char *exec, char **argv) } #endif - if (changeuser && getgrouplist(changeuser, gid, group_list, &group_count) < 0) { - group_list = xmalloc(group_count * sizeof(*group_list)); - if (getgrouplist(changeuser, gid, group_list, &group_count) < 0) - eerrorx("%s: getgrouplist(%s, %"PRIuMAX")", applet, changeuser, (uintmax_t)gid); + if (changeuser) { + /* getgrouplist is a stupid api. */ + group_count = ARRAY_SIZE(group_buf); + if (getgrouplist(changeuser, gid, group_list, &group_count) < 0) { + group_list = xmalloc(group_count * sizeof(*group_list)); + if (getgrouplist(changeuser, gid, group_list, &group_count) < 0) + eerrorx("%s: getgrouplist(%s, %"PRIuMAX")", applet, changeuser, (uintmax_t)gid); + } } /* Close any fd's to the passwd database */ @@ -462,7 +466,7 @@ RC_NORETURN static void child_process(char *exec, char **argv) if (gid && setgid(gid)) eerrorx("%s: unable to set groupid to %"PRIuMAX, applet, (uintmax_t)gid); - if (changeuser && setgroups(group_count, group_list) < 0) + if (setgroups(group_count, group_list) < 0) eerrorx("%s: setgroups() failed", applet); if (group_list != group_buf) free(group_list); |