From 4b5ba5014f3c75adf46efe7740bd3c9771b376ae Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Wed, 9 Nov 2011 18:20:51 +0200 Subject: [PATCH] restrict_access*(): If setuid() fails with EAGAIN, suggest ulimit -u being the problem. --- src/lib/restrict-access.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/src/lib/restrict-access.c b/src/lib/restrict-access.c index c362ea4e24..a4ad077db9 100644 --- a/src/lib/restrict-access.c +++ b/src/lib/restrict-access.c @@ -236,6 +236,26 @@ static void fix_groups_list(const struct restrict_access_settings *set, } } +static const char * +get_setuid_error_str(const struct restrict_access_settings *set) +{ + string_t *str = t_str_new(128); + + str_printfa(str, "setuid(%s", get_uid_str(set->uid)); + if (set->uid_source != NULL) + str_printfa(str, " from %s", set->uid_source); + str_printfa(str, ") failed with euid=%s: %m ", + get_uid_str(geteuid())); + if (errno == EAGAIN) { + str_append(str, "(ulimit -u reached)"); + } else { + str_printfa(str, "(This binary should probably be called with " + "process user set to %s instead of %s)", + get_uid_str(set->uid), get_uid_str(geteuid())); + } + return str_c(str); +} + void restrict_access(const struct restrict_access_settings *set, const char *home, bool disallow_root) { @@ -303,19 +323,8 @@ void restrict_access(const struct restrict_access_settings *set, /* uid last */ if (set->uid != (uid_t)-1) { - if (setuid(set->uid) != 0) { - string_t *str = t_str_new(128); - - str_printfa(str, "setuid(%s", get_uid_str(set->uid)); - if (set->uid_source != NULL) - str_printfa(str, " from %s", set->uid_source); - str_printfa(str, ") failed with euid=%s: %m " - "(This binary should probably be called with " - "process user set to %s instead of %s)", - get_uid_str(geteuid()), - get_uid_str(set->uid), get_uid_str(geteuid())); - i_fatal("%s", str_c(str)); - } + if (setuid(set->uid) != 0) + i_fatal("%s", get_setuid_error_str(set)); } /* verify that we actually dropped the privileges */ -- 2.47.3