Browse Source

[security] ensure gid != 0 if server.username set (fixes #2725)

server.username can not be root or 0.
server.groupname can not be root or 0.

If server.username is set, previous behavior might retain gid 0
if server.groupname was not set.

New behavior calls setgid() on server.username primary gid, and
then initgroups on server.username if server.username is set but
server.groupname is not set.

x-ref:
  "server.groupname not required with server.username"
  https://redmine.lighttpd.net/issues/2725
personal/stbuehler/mod-csrf-old
Glenn Strauss 5 years ago
parent
commit
558bfc4e1e
  1. 19
      src/server.c

19
src/server.c

@ -1020,6 +1020,14 @@ int main (int argc, char **argv) {
#ifdef HAVE_PWD_H
/* set user and group */
if (!buffer_string_is_empty(srv->srvconf.groupname)) {
if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "sb",
"can't find groupname", srv->srvconf.groupname);
return -1;
}
}
if (!buffer_string_is_empty(srv->srvconf.username)) {
if (NULL == (pwd = getpwnam(srv->srvconf.username->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "sb",
@ -1032,14 +1040,15 @@ int main (int argc, char **argv) {
"I will not set uid to 0\n");
return -1;
}
}
if (!buffer_string_is_empty(srv->srvconf.groupname)) {
if (NULL == (grp = getgrnam(srv->srvconf.groupname->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "sb",
"can't find groupname", srv->srvconf.groupname);
if (NULL == grp && NULL == (grp = getgrgid(pwd->pw_gid))) {
log_error_write(srv, __FILE__, __LINE__, "sd",
"can't find group id", pwd->pw_gid);
return -1;
}
}
if (NULL != grp) {
if (grp->gr_gid == 0) {
log_error_write(srv, __FILE__, __LINE__, "s",
"I will not set gid to 0\n");

Loading…
Cancel
Save