diff options
| author | Martin Winter <mwinter@opensourcerouting.org> | 2017-01-20 20:48:45 +0100 |
|---|---|---|
| committer | Martin Winter <mwinter@opensourcerouting.org> | 2017-01-25 18:45:05 +0100 |
| commit | 38657f2ebd65fce3cfcba3ff4d29b29056af2df1 (patch) | |
| tree | 2fbb6588bab2ec9ec3c513236beb409a3174e5e5 /lib/privs.c | |
| parent | vtysh: Add --config_dir option to override compiled in location for vtysh.con... (diff) | |
| download | frr-38657f2ebd65fce3cfcba3ff4d29b29056af2df1.tar.xz frr-38657f2ebd65fce3cfcba3ff4d29b29056af2df1.zip | |
lib: Don't change uid/gid if we are already the correct uid/gid
Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
Diffstat (limited to 'lib/privs.c')
| -rw-r--r-- | lib/privs.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/lib/privs.c b/lib/privs.c index ac2a8454c..376d6f336 100644 --- a/lib/privs.c +++ b/lib/privs.c @@ -251,7 +251,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) } /* we have caps, we have no need to ever change back the original user */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { @@ -531,7 +532,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) /* we have caps, we have no need to ever change back the original user * change real, effective and saved to the specified user. */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { @@ -602,7 +604,8 @@ zprivs_caps_terminate (void) int zprivs_change_uid (zebra_privs_ops_t op) { - + if (zprivs_state.zsuid == zprivs_state.zuid) + return 0; if (op == ZPRIVS_RAISE) return seteuid (zprivs_state.zsuid); else if (op == ZPRIVS_LOWER) @@ -766,7 +769,8 @@ zprivs_init(struct zebra_privs_t *zprivs) } } - if (ngroups) + /* add groups only if we changed uid - otherwise skip */ + if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setgroups (ngroups, groups) ) { @@ -776,7 +780,8 @@ zprivs_init(struct zebra_privs_t *zprivs) } } - if (zprivs_state.zgid) + /* change gid only if we changed uid - otherwise skip */ + if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid)) { /* change group now, forever. uid we do later */ if ( setregid (zprivs_state.zgid, zprivs_state.zgid) ) @@ -797,7 +802,8 @@ zprivs_init(struct zebra_privs_t *zprivs) * This is not worth that much security wise, but all we can do. */ zprivs_state.zsuid = geteuid(); - if ( zprivs_state.zuid ) + /* only change uid if we don't have the correct one */ + if (( zprivs_state.zuid ) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (-1, zprivs_state.zuid) ) { @@ -824,7 +830,8 @@ zprivs_terminate (struct zebra_privs_t *zprivs) #ifdef HAVE_CAPABILITIES zprivs_caps_terminate(); #else /* !HAVE_CAPABILITIES */ - if (zprivs_state.zuid) + /* only change uid if we don't have the correct one */ + if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid)) { if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) ) { |