51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
|
diff -up ./util/Security.c.nprocs ./util/Security.c
|
||
|
|
--- ./util/Security.c.nprocs 2016-01-27 03:07:49.000000000 -0500
|
||
|
|
+++ ./util/Security.c 2016-02-22 20:30:06.153297256 -0500
|
||
|
|
@@ -31,6 +31,7 @@
|
||
|
|
#include <unistd.h>
|
||
|
|
#include <errno.h>
|
||
|
|
#include <stdlib.h>
|
||
|
|
+#include <grp.h>
|
||
|
|
#include <string.h>
|
||
|
|
#include <sys/mman.h>
|
||
|
|
#include <stdio.h>
|
||
|
|
@@ -66,12 +67,17 @@ void Security_setUser(int uid,
|
||
|
|
{
|
||
|
|
int gidErrno = 0;
|
||
|
|
int uidErrno = 0;
|
||
|
|
+ int setGroupErrno = 0;
|
||
|
|
+ pid_t groups[1];
|
||
|
|
if (keepNetAdmin) {
|
||
|
|
Setuid_preSetuid(alloc, eh);
|
||
|
|
}
|
||
|
|
if (gid && setgid(gid)) {
|
||
|
|
gidErrno = errno;
|
||
|
|
}
|
||
|
|
+ if (setgroups(0,groups)) {
|
||
|
|
+ setGroupErrno = errno;
|
||
|
|
+ }
|
||
|
|
if (setuid(uid)) {
|
||
|
|
// errno is global and could get overwritten by Setuid_postSetuid()
|
||
|
|
uidErrno = errno;
|
||
|
|
@@ -85,6 +91,9 @@ void Security_setUser(int uid,
|
||
|
|
if (uid != (int) getuid()) {
|
||
|
|
Except_throw(eh, "Failed to set UID but seemed to succeed");
|
||
|
|
}
|
||
|
|
+ if (setGroupErrno > 0) {
|
||
|
|
+ Except_throw(eh, "Failed to setgroups [%s]", strerror(setGroupErrno));
|
||
|
|
+ }
|
||
|
|
if (gidErrno > 0) {
|
||
|
|
Except_throw(eh, "Failed to set GID [%s]", strerror(gidErrno));
|
||
|
|
}
|
||
|
|
@@ -119,8 +128,8 @@ void Security_nofiles(struct Except* eh)
|
||
|
|
|
||
|
|
void Security_noforks(struct Except* eh)
|
||
|
|
{
|
||
|
|
- if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 0, 0 })) {
|
||
|
|
- Except_throw(eh, "Failed to set fork limit to 0 [%s]", strerror(errno));
|
||
|
|
+ if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 1, 1 })) {
|
||
|
|
+ Except_throw(eh, "Failed to set process limit to 1 [%s]", strerror(errno));
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|