From: Wouter Wijngaards Date: Thu, 5 Apr 2012 09:30:04 +0000 (+0000) Subject: - fix bug #444: setusercontext was called too late (thanks Bjorn X-Git-Tag: release-1.4.17rc1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=279f4096363468c9004febaa3b13dea1c2f846eb;p=thirdparty%2Funbound.git - fix bug #444: setusercontext was called too late (thanks Bjorn Ketelaars). git-svn-id: file:///svn/unbound/trunk@2657 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/daemon/unbound.c b/daemon/unbound.c index 685277d5d..6d87a4f6d 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -502,6 +502,21 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, (void)daemon; #endif + /* Set user context */ +#ifdef HAVE_GETPWNAM + if(cfg->username && cfg->username[0]) { +#ifdef HAVE_SETUSERCONTEXT + /* setusercontext does initgroups, setuid, setgid, and + * also resource limits from login config, but we + * still call setresuid, setresgid to be sure to set all uid*/ + if(setusercontext(NULL, pwd, uid, + LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0) + log_warn("unable to setusercontext %s: %s", + cfg->username, strerror(errno)); +#endif /* HAVE_SETUSERCONTEXT */ + } +#endif /* HAVE_GETPWNAM */ + /* box into the chroot */ #ifdef HAVE_CHROOT if(cfg->chrootdir && cfg->chrootdir[0]) { @@ -554,20 +569,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, /* drop permissions after chroot, getpwnam, pidfile, syslog done*/ #ifdef HAVE_GETPWNAM if(cfg->username && cfg->username[0]) { -#ifdef HAVE_SETUSERCONTEXT - /* setusercontext does initgroups, setuid, setgid, and - * also resource limits from login config, but we - * still call setresuid, setresgid to be sure to set all uid*/ - if(setusercontext(NULL, pwd, uid, LOGIN_SETALL) != 0) - log_warn("unable to setusercontext %s: %s", - cfg->username, strerror(errno)); -#else /* !HAVE_SETUSERCONTEXT */ # ifdef HAVE_INITGROUPS if(initgroups(cfg->username, gid) != 0) log_warn("unable to initgroups %s: %s", cfg->username, strerror(errno)); # endif /* HAVE_INITGROUPS */ -#endif /* HAVE_SETUSERCONTEXT */ endpwent(); #ifdef HAVE_SETRESGID diff --git a/doc/Changelog b/doc/Changelog index 6ef467f45..56798cca4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,7 @@ 5 April 2012: Wouter - fix bug #443: --with-chroot-dir not honoured by configure. + - fix bug #444: setusercontext was called too late (thanks Bjorn + Ketelaars). 27 March 2012: Wouter - fix bug #442: Fix that Makefile depends on pythonmod headers