clean (set up correctly) additional groups

2011-08-15 21:40:59 +02:00 · 2011-08-15 21:40:59 +02:00 · 94356325d1
parent 2a8f5527b2
commit 94356325d1
2 changed files with 68 additions and 1 deletions
--- a/tcp_wrappers-7.6-initgroups.patch
+++ b/tcp_wrappers-7.6-initgroups.patch
@ -0,0 +1,62 @@
+diff -up tcp_wrappers_7.6/options.c.initgroups tcp_wrappers_7.6/options.c
+--- tcp_wrappers_7.6/options.c.initgroups	2011-08-11 23:10:43.610418714 +0200
+++ tcp_wrappers_7.6/options.c	2011-08-12 05:51:17.748481294 +0200
+@@ -256,8 +256,12 @@ struct request_info *request;
+ 	tcpd_jump("unknown group: \"%s\"", value);
+     endgrent();
+ 
+-    if (dry_run == 0 && setgid(grp->gr_gid))
+-	tcpd_jump("setgid(%s): %m", value);
+    if (dry_run != 0) {
+        if (setgid(grp->gr_gid))
+	   tcpd_jump("setgid(%s): %m", value);
+        if (setgroups(0, NULL))
+	   tcpd_jump("setgroups(%s): %m", value);
+    }
+ }
+ 
+ /* user_option - switch user id */
+@@ -271,15 +275,26 @@ struct request_info *request;
+     struct passwd *pwd;
+     struct passwd *getpwnam();
+     char   *group;
+    int    defaultgroup = 0;
+ 
+     if ((group = split_at(value, '.')) != 0)
+ 	group_option(group, request);
+    else
+	defaultgroup = 1;
+     if ((pwd = getpwnam(value)) == 0)
+ 	tcpd_jump("unknown user: \"%s\"", value);
+     endpwent();
+ 
+-    if (dry_run == 0 && setuid(pwd->pw_uid))
+-	tcpd_jump("setuid(%s): %m", value);
+    if (dry_run != 0) {
+        if (setuid(pwd->pw_uid))
+	    tcpd_jump("setuid(%s): %m", value);
+	if (defaultgroup) {
+            if (setgid(pwd->pw_gid))
+	       tcpd_jump("setgid(%s): %m", value);
+            if (initgroups(value, pwd->pw_gid))
+	       tcpd_jump("initgroups(%s): %m", value);
+	}
+    }
+ }
+ 
+ /* umask_option - set file creation mask */
+diff -up tcp_wrappers_7.6/safe_finger.c.initgroups tcp_wrappers_7.6/safe_finger.c
+--- tcp_wrappers_7.6/safe_finger.c.initgroups	2011-08-12 05:54:06.068606291 +0200
+++ tcp_wrappers_7.6/safe_finger.c	2011-08-12 05:55:34.835483785 +0200
+@@ -66,9 +66,11 @@ char  **argv;
+     if (getuid() == 0 || geteuid() == 0) {
+ 	if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
+ 	    setgid(pwd->pw_gid);
+	    initgroups(UNPRIV_NAME, pwd->pw_gid);
+ 	    setuid(pwd->pw_uid);
+ 	} else {
+ 	    setgid(UNPRIV_UGID);
+	    setgroups(0, NULL);
+ 	    setuid(UNPRIV_UGID);
+ 	}
+     }
--- a/tcp_wrappers.spec
+++ b/tcp_wrappers.spec
@ -1,7 +1,7 @@
 Summary: A security tool which acts as a wrapper for TCP daemons
 Name: tcp_wrappers
 Version: 7.6
-Release: 66%{?dist}
+Release: 67%{?dist}

 %define LIB_MAJOR 0
 %define LIB_MINOR 7
@ -38,6 +38,7 @@ Patch23: tcp_wrappers-7.6-inetdconf.patch
 Patch24: tcp_wrappers-7.6-bug698464.patch
 Patch25: tcp_wrappers-7.6-relro.patch
 Patch26: tcp_wrappers-7.6-xgets.patch
+Patch27: tcp_wrappers-7.6-initgroups.patch
 # required by sin_scope_id in ipv6 patch
 BuildRequires: glibc-devel >= 2.2
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -98,6 +99,7 @@ develop applications with tcp_wrappers support.
 %patch24 -p1 -b .698464
 %patch25 -p1 -b .relro
 %patch26 -p1 -b .xgets
+%patch27 -p1 -b .initgroups

 %build
 make RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -DPIC -D_REENTRANT -DHAVE_STRERROR" LDFLAGS="-pie" MAJOR=%{LIB_MAJOR} MINOR=%{LIB_MINOR} REL=%{LIB_REL} linux
@ -155,6 +157,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_mandir}/man3/*

 %changelog
+* Mon Aug 15 2011 Jan F. Chadima <jchadima@redhat.com> - 7.6-67
+- clean (set up correctly) additional groups
+
 * Mon Aug 15 2011 Jan F. Chadima <jchadima@redhat.com> - 7.6-66
 - repair possible DOS in xgets