[nsd-users] nsd-3.2.2 and initgroups ?

Jarno Huuskonen Jarno.Huuskonen at uku.fi
Mon Aug 3 07:07:00 UTC 2009


I originally sent this to nsd-bugs at nlnetlabs.nl on 22.6.2009, but never
received a reply.

-----------------------------------

I was testing nsd-3.2.2 and noticed that when dropping root
privileges nsd doesn't call initgroups (or setgroups).

On typical Linux distro (I'm testing with CentOS 5.3) this
means that nsd retains extra groups
(with CentOS groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)).

Here's a small patch that I made:
diff -urN nsd-3.2.2.orig/server.c nsd-3.2.2/server.c
--- nsd-3.2.2.orig/server.c     2009-04-03 14:56:43.000000000 +0300
+++ nsd-3.2.2/server.c  2009-06-22 13:11:03.000000000 +0300
@@ -21,6 +21,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <grp.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -533,7 +534,7 @@
        }
 
        /* Drop the permissions */
-       if (setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
+       if (initgroups(nsd->username, nsd->gid) != 0 || setgid(nsd->gid) != 0 || setuid(nsd->uid) !=0) {
                log_msg(LOG_ERR, "unable to drop user privileges: %s",
                        strerror(errno));
                pid_unlink(nsd->pidfile);


Note: I haven't tested the patch (other than checking that
nsd starts and drops the extra groups).

-Jarno

-- 
Jarno Huuskonen: Jarno.Huuskonen atsign uku.fi



More information about the nsd-users mailing list