By Dimitry V. Ketov, based on code from Apache.
dnl
dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9)
dnl
-dnl $Id: configure.in,v 1.361 2004/10/17 22:13:02 hno Exp $
+dnl $Id: configure.in,v 1.362 2004/10/20 22:41:03 hno Exp $
dnl
dnl
dnl
AC_CONFIG_AUX_DIR(cfgaux)
AM_INIT_AUTOMAKE(squid, 3.0-PRE3-CVS)
AM_CONFIG_HEADER(include/autoconf.h)
-AC_REVISION($Revision: 1.361 $)dnl
+AC_REVISION($Revision: 1.362 $)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE
drand48 \
tempnam \
strerror \
+ initgroups
)
dnl Not cached since people are likely to tune this
--- /dev/null
+/*
+ * $Id: initgroups.h,v 1.1 2004/10/20 22:41:03 hno Exp $
+ */
+#ifndef SQUID_INITGROUPS_H
+#define SQUID_INITGROUPS_H
+
+/* if you have configure you can use this */
+#if defined(HAVE_CONFIG_H)
+#include "config.h"
+#endif
+
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+extern int initgroups(const char *user, gid_t group);
+#endif /* SQUID_INITGROPS_H */
--- /dev/null
+#include "config.h"
+
+#if HAVE_GRP_H
+#include <grp.h>
+#endif
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#if HAVE_STRING_H
+#include <string.h>
+#endif
+#if HAVE_STRINGS_H
+#include <strings.h>
+#endif
+#if HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+int initgroups(const char *name, gid_t basegid)
+{
+#ifdef HAVE_SETGROUPS
+#ifndef NGROUPS_MAX
+#define NGROUPS_MAX 16
+#endif
+
+ gid_t groups[NGROUPS_MAX];
+ struct group *g;
+ int index = 0;
+
+ setgrent();
+
+ groups[index++] = basegid;
+
+ while (index < NGROUPS_MAX && ((g = getgrent()) != NULL)) {
+ if (g->gr_gid != basegid) {
+ char **names;
+
+ for (names = g->gr_mem; *names != NULL; ++names) {
+
+ if (!strcmp(*names, name))
+ groups[index++] = g->gr_gid;
+
+ }
+ }
+ }
+
+ endgrent();
+
+ return setgroups(index, groups);
+
+#else
+
+ return 0;
+
+#endif /* def HAVE_SETGROUPS */
+}
+
#
-# $Id: cf.data.pre,v 1.360 2004/10/18 12:20:09 hno Exp $
+# $Id: cf.data.pre,v 1.361 2004/10/20 22:41:04 hno Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
TYPE: string
DEFAULT: nobody
LOC: Config.effectiveUser
-DOC_NONE
+DOC_START
+ If you start Squid as root, it will change its effective/real
+ UID/GID to the user specified below. The default is to change
+ to UID to nobody. If you define cache_effective_user, but not
+ cache_effective_group, Squid sets the GID to the effective
+ user's default group ID (taken from the password file) and
+ supplementary group list from the from groups membership of
+ cache_effective_user.
+DOC_END
+
NAME: cache_effective_group
TYPE: string
DEFAULT: none
LOC: Config.effectiveGroup
DOC_START
-
- If you start Squid as root, it will change its effective/real
- UID/GID to the UID/GID specified below. The default is to
- change to UID to nobody. If you define cache_effective_user,
- but not cache_effective_group, Squid sets the GID the
- effective user's default group ID (taken from the password
- file).
-
- If Squid is not started as root, the cache_effective_user
- value is ignored and the GID value is unchanged by default.
- However, you can make Squid change its GID to another group
- that the process owner is a member of. Note that if Squid
- is not started as root you cannot set http_port to a
- value lower than 1024.
+ If you want Squid to run with a specific GID regardless of
+ the group memberships of the effective user then set this
+ to the group (or GID) you want Squid to run as. When set
+ all other group privileges of the effective user is ignored
+ and only this GID is effective. If Squid is not started as
+ root the user starting Squid must be member of the specified
+ group.
DOC_END
/*
- * $Id: squid.h,v 1.237 2004/08/30 05:12:31 robertc Exp $
+ * $Id: squid.h,v 1.238 2004/10/20 22:41:05 hno Exp $
*
* AUTHOR: Duane Wessels
*
#include "snprintf.h"
#endif
+#if !HAVE_INITGROUPS
+#include "initgroups.h"
+#endif
+
#ifndef min
template<class A>
/*
- * $Id: tools.cc,v 1.243 2004/08/30 05:12:31 robertc Exp $
+ * $Id: tools.cc,v 1.244 2004/10/20 22:41:05 hno Exp $
*
* DEBUG: section 21 Misc Functions
* AUTHOR: Harvest Derived
{
debug(21, 3) ("leave_suid: PID %d called\n", (int) getpid());
+ if (Config.effectiveGroup) {
+
+#if HAVE_SETGROUPS
+
+ setgroups(1, &Config2.effectiveGroupID);
+
+#endif
+
+ if (setgid(Config2.effectiveGroupID) < 0)
+ debug(50, 0) ("ALERT: setgid: %s\n", xstrerror());
+
+ }
+
if (geteuid() != 0)
return;
if (Config.effectiveUser == NULL)
return;
-#if HAVE_SETGROUPS
-
- setgroups(1, &Config2.effectiveGroupID);
+ debug(21, 3) ("leave_suid: PID %d giving up root, becoming '%s'\n",
+ (int) getpid(), Config.effectiveUser);
-#endif
+ if (!Config.effectiveGroup) {
- if (setgid(Config2.effectiveGroupID) < 0)
- debug(50, 0) ("ALERT: setgid: %s\n", xstrerror());
+ if (setgid(Config2.effectiveGroupID) < 0)
+ debug(50, 0) ("ALERT: setgid: %s\n", xstrerror());
- debug(21, 3) ("leave_suid: PID %d giving up root, becoming '%s'\n",
- (int) getpid(), Config.effectiveUser);
+ if (initgroups(Config.effectiveUser, Config2.effectiveGroupID) < 0) {
+ debug(50, 0) ("ALERT: initgroups: unable to set groups for User %s "
+ "and Group %u", Config.effectiveUser,
+ (unsigned) Config2.effectiveGroupID);
+ }
+ }
#if HAVE_SETRESUID
projects / thirdparty / squid.git / commitdiff
