diff options
| author | David Lamparter <equinox@opensourcerouting.org> | 2016-11-08 19:42:01 +0100 |
|---|---|---|
| committer | David Lamparter <equinox@opensourcerouting.org> | 2016-11-09 13:40:37 +0100 |
| commit | e227e24231b4a7ef892ccd8ad11c424c6a2d0c43 (patch) | |
| tree | fd2d97456b8d1ada5ca6cbb6a574288f3b2c68f0 /lib/privs.c | |
| parent | lib: add and use set_cloexec() (diff) | |
| download | frr-e227e24231b4a7ef892ccd8ad11c424c6a2d0c43.tar.xz frr-e227e24231b4a7ef892ccd8ad11c424c6a2d0c43.zip | |
lib: privs: always look up VTY group
Even if we're running without user switch, we should still try to honor
the VTY group. This applies both to watchquagga (which always runs as
root) as well as "no-userswitch" configurations for other daemons.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Diffstat (limited to 'lib/privs.c')
| -rw-r--r-- | lib/privs.c | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/lib/privs.c b/lib/privs.c index 6cf87c18d..ac2a8454c 100644 --- a/lib/privs.c +++ b/lib/privs.c @@ -679,6 +679,15 @@ zprivs_init(struct zebra_privs_t *zprivs) exit (1); } + if (zprivs->vty_group) + { + /* in a "NULL" setup, this is allowed to fail too, but still try. */ + if ((grentry = getgrnam (zprivs->vty_group))) + zprivs_state.vtygrp = grentry->gr_gid; + else + zprivs_state.vtygrp = (gid_t)-1; + } + /* NULL privs */ if (! (zprivs->user || zprivs->group || zprivs->cap_num_p || zprivs->cap_num_i) ) @@ -731,34 +740,30 @@ zprivs_init(struct zebra_privs_t *zprivs) if (zprivs->vty_group) /* Add the vty_group to the supplementary groups so it can be chowned to */ { - if ( (grentry = getgrnam (zprivs->vty_group)) ) - { - zprivs_state.vtygrp = grentry->gr_gid; - - for ( i = 0; i < ngroups; i++ ) - if ( groups[i] == zprivs_state.vtygrp ) - { - found++; - break; - } - - if (!found) - { - fprintf (stderr, "privs_init: user(%s) is not part of vty group specified(%s)\n", - zprivs->user, zprivs->vty_group); - exit (1); - } - if ( i >= ngroups && ngroups < (int) ZEBRA_NUM_OF(groups) ) - { - groups[i] = zprivs_state.vtygrp; - } - } - else + if (zprivs_state.vtygrp == (gid_t)-1) { fprintf (stderr, "privs_init: could not lookup vty group %s\n", zprivs->vty_group); exit (1); } + + for ( i = 0; i < ngroups; i++ ) + if ( groups[i] == zprivs_state.vtygrp ) + { + found++; + break; + } + + if (!found) + { + fprintf (stderr, "privs_init: user(%s) is not part of vty group specified(%s)\n", + zprivs->user, zprivs->vty_group); + exit (1); + } + if ( i >= ngroups && ngroups < (int) ZEBRA_NUM_OF(groups) ) + { + groups[i] = zprivs_state.vtygrp; + } } if (ngroups) |