-
-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I think there is a mistake here, fn set_initgroups #208
Comments
I believe that entire file was written by angelo so I am not too well versed on it, If you can send a PR comparing the diffs that would be helpful. |
pub fn drop_privs1(gi: Gid, ui: Uid) -> Result<()> {
log::trace!("groups, {:?}", nix::unistd::getgroups()?);
log::trace!("GID to {gi}");
nix::unistd::setresgid(gi, gi, gi)?;
let user = nix::unistd::User::from_uid(ui).unwrap().unwrap();
set_initgroups(&user, gi.as_raw());
log::trace!("UID to {ui}");
nix::unistd::setresuid(ui, ui, ui)?;
log::info!("dropped privs to resuid={ui} resgid={gi}");
Ok(())
}
fn set_initgroups(user: &nix::unistd::User, gid: u32) {
let gid = Gid::from_raw(gid);
let s = user.name.clone();
let c_str = CString::new(s).unwrap();
match nix::unistd::initgroups(&c_str, gid) {
std::result::Result::Ok(_) => log::debug!("Setting initgroups..."),
Err(e) => {
log::error!("Failed to set init groups: {:#?}", e);
exit(1);
}
}
} This is the code I use in my small tool. I don't really know much about the syscalls but I repeatedly experimented. That code always changes the grouplist to the 'default one' for the user regardless what it was before. The code in swhkd gives me a grouplist with only one gid. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/waycrate/swhkd/blob/8377aaf92a3516c1e12741b0436346989681e0b6/swhkd/src/perms.rs#LL23C1-L23C54
The effect of using
gecos
is the same as using any random string as I tested, which gives only one group, clearing that list.I use username and it works then, which restores the actual groups I got when logging in.
The text was updated successfully, but these errors were encountered: