svn rev #3312: trunk/ gssftp/ftpd/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Jul 11 15:10:08 EDT 2011 

Commit By: ghudson
Log Message:
Use setgid instead of setegid in ftpd.

Using setgid simplifies portability (allowing us to eliminate the
setegid macros in k5-util.h).  We never need to recover gid 0 so
there's no reason not to do it.

Also fail out at compile time if krb5_setegid() cannot be
productively defined, and fail out at runtime if setgid() or
initgroups() fails (unless ftpd isn't running as root, in which case
initgroups() is allowed to fail).



Changed Files:
U   trunk/gssftp/ftpd/ftpd.c
U   trunk/k5-util.h
Modified: trunk/gssftp/ftpd/ftpd.c
===================================================================
--- trunk/gssftp/ftpd/ftpd.c	2011-07-11 19:06:22 UTC (rev 3311)
+++ trunk/gssftp/ftpd/ftpd.c	2011-07-11 19:10:08 UTC (rev 3312)
@@ -994,8 +994,14 @@
 #endif
 	}
 
-	(void) krb5_setegid((gid_t)pw->pw_gid);
-	(void) initgroups(pw->pw_name, pw->pw_gid);
+	if (setgid((gid_t)pw->pw_gid) < 0) {
+		reply(550, "Can't set gid.");
+		goto bad;
+	}
+	if (geteuid() == 0 && initgroups(pw->pw_name, pw->pw_gid) < 0) {
+		reply(550, "Can't initialize groups.");
+		goto bad;
+	}
 
 	/* open wtmp before chroot */
 	(void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());

Modified: trunk/k5-util.h
===================================================================
--- trunk/k5-util.h	2011-07-11 19:06:22 UTC (rev 3311)
+++ trunk/k5-util.h	2011-07-11 19:10:08 UTC (rev 3312)
@@ -69,19 +69,8 @@
 #elif defined(HAVE_SETREUID)
 #  define krb5_seteuid(EUID)	setreuid(geteuid(), (uid_t)(EUID))
 #else
-   /* You need to add a case to deal with this operating system.*/
+#  error "You need to add a case to deal with this operating system."
 #  define krb5_seteuid(EUID)	(errno = EPERM, -1)
 #endif
 
-#ifdef HAVE_SETEGID
-#  define krb5_setegid(EGID)	(setegid((gid_t)(EGID)))
-#elif defined(HAVE_SETRESGID)
-#  define krb5_setegid(EGID)	(setresgid(getgid(), (gid_t)(EGID), getegid()))
-#elif defined(HAVE_SETREGID)
-#  define krb5_setegid(EGID)	(setregid(getegid(), (gid_t)(EGID)))
-#else
-   /* You need to add a case to deal with this operating system.*/
-#  define krb5_setegid(EGID)	(errno = EPERM, -1)
 #endif
-
-#endif

More information about the Krb5-appl-commits mailing list