mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-12 11:44:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

execute: Detect groups added by PAM and merge them with supplementary groups

Browse Source
This commit is contained in:
Dariusz Gadomski 2020-01-08 16:24:45 +01:00
parent 3bb39ea936
commit afb11bf1b8
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/core/execute.c
View File

@ -3018,6 +3018,8 @@ static int exec_child(
size_t n_fds;
ExecDirectoryType dt;
int secure_bits;
_cleanup_free_ gid_t *gids_after_pam = NULL;
int ngids_after_pam = 0;
assert(unit);
assert(command);
@ -3431,6 +3433,12 @@ static int exec_child(
*exit_status = EXIT_PAM;
return log_unit_error_errno(unit, r, "Failed to set up PAM session: %m");
}
ngids_after_pam = getgroups_alloc(&gids_after_pam);
if (ngids_after_pam < 0) {
*exit_status = EXIT_MEMORY;
return log_unit_error_errno(unit, ngids_after_pam, "Failed to obtain groups after setting up PAM: %m");
}
}
}
@ -3510,7 +3518,22 @@ static int exec_child(
* This needs to be done after PrivateDevices=y setup as device nodes should be owned by the host's root.
* For non-root in a userns, devices will be owned by the user/group before the group change, and nobody. */
if (needs_setuid) {
r = enforce_groups(gid, supplementary_gids, ngids);
_cleanup_free_ gid_t *gids_to_enforce = NULL;
int ngids_to_enforce = 0;
ngids_to_enforce = merge_gid_lists(supplementary_gids,
ngids,
gids_after_pam,
ngids_after_pam,
&gids_to_enforce);
if (ngids_to_enforce < 0) {
*exit_status = EXIT_MEMORY;
return log_unit_error_errno(unit,
ngids_to_enforce,
"Failed to merge group lists. Group membership might be incorrect: %m");
}
r = enforce_groups(gid, gids_to_enforce, ngids_to_enforce);
if (r < 0) {
*exit_status = EXIT_GROUP;
return log_unit_error_errno(unit, r, "Changing group credentials failed: %m");