Tue Feb 3 12:51:13 2009 UTC ()
Make ntpd drop supplementary group memberships when dropping privileges
due to a "-u" option.
(There is a bug report to the subcect in ntp's bugzilla, listed
as "closed", almost two years old. Don't know what happed. My patch
is not derived from that one because the code changed.)


(drochner)
diff -r1.13 -r1.14 src/dist/ntp/ntpd/ntpd.c
cvs diff -r1.13 -r1.14 src/dist/ntp/ntpd/Attic/ntpd.c (expand / switch to unified diff)

--- src/dist/ntp/ntpd/Attic/ntpd.c 2008/08/23 09:10:31 1.13
+++ src/dist/ntp/ntpd/Attic/ntpd.c 2009/02/03 12:51:13 1.14
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ntpd.c,v 1.13 2008/08/23 09:10:31 kardel Exp $ */ 1/* $NetBSD: ntpd.c,v 1.14 2009/02/03 12:51:13 drochner Exp $ */
2 2
3/* 3/*
4 * ntpd.c - main program for the fixed point NTP daemon 4 * ntpd.c - main program for the fixed point NTP daemon
5 */ 5 */
6 6
7#ifdef HAVE_CONFIG_H 7#ifdef HAVE_CONFIG_H
8# include <config.h> 8# include <config.h>
9#endif 9#endif
10 10
11#include "ntp_machine.h" 11#include "ntp_machine.h"
12#include "ntpd.h" 12#include "ntpd.h"
13#include "ntp_io.h" 13#include "ntp_io.h"
14#include "ntp_stdlib.h" 14#include "ntp_stdlib.h"
@@ -160,28 +160,28 @@ volatile int debug = 0; /* No debugging @@ -160,28 +160,28 @@ volatile int debug = 0; /* No debugging
160int listen_to_virtual_ips = 1; 160int listen_to_virtual_ips = 1;
161const char *specific_interface = NULL; /* interface name or IP address to bind to */ 161const char *specific_interface = NULL; /* interface name or IP address to bind to */
162 162
163/* 163/*
164 * No-fork flag. If set, we do not become a background daemon. 164 * No-fork flag. If set, we do not become a background daemon.
165 */ 165 */
166int nofork = 0; /* Fork by default */ 166int nofork = 0; /* Fork by default */
167 167
168#ifdef HAVE_DROPROOT 168#ifdef HAVE_DROPROOT
169int droproot = 0; 169int droproot = 0;
170char *user = NULL; /* User to switch to */ 170char *user = NULL; /* User to switch to */
171char *group = NULL; /* group to switch to */ 171char *group = NULL; /* group to switch to */
172char *chrootdir = NULL; /* directory to chroot to */ 172char *chrootdir = NULL; /* directory to chroot to */
173int sw_uid; 173uid_t sw_uid;
174int sw_gid; 174gid_t sw_gid;
175char *endp;  175char *endp;
176struct group *gr; 176struct group *gr;
177struct passwd *pw;  177struct passwd *pw;
178#endif /* HAVE_DROPROOT */ 178#endif /* HAVE_DROPROOT */
179 179
180/* 180/*
181 * Initializing flag. All async routines watch this and only do their 181 * Initializing flag. All async routines watch this and only do their
182 * thing when it is clear. 182 * thing when it is clear.
183 */ 183 */
184int initializing; 184int initializing;
185 185
186/* 186/*
187 * Version declaration 187 * Version declaration
@@ -913,26 +913,30 @@ getgroup:  @@ -913,26 +913,30 @@ getgroup:
913 if( chroot(chrootdir) ) { 913 if( chroot(chrootdir) ) {
914 msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir); 914 msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir);
915 exit (-1); 915 exit (-1);
916 } 916 }
917 } 917 }
918 if (group && setgid(sw_gid)) { 918 if (group && setgid(sw_gid)) {
919 msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); 919 msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
920 exit (-1); 920 exit (-1);
921 } 921 }
922 if (group && setegid(sw_gid)) { 922 if (group && setegid(sw_gid)) {
923 msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); 923 msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
924 exit (-1); 924 exit (-1);
925 } 925 }
 926 if (group)
 927 setgroups(1, &sw_gid);
 928 else
 929 initgroups(pw->pw_name, pw->pw_gid);
926 if (user && setuid(sw_uid)) { 930 if (user && setuid(sw_uid)) {
927 msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); 931 msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
928 exit (-1); 932 exit (-1);
929 } 933 }
930 if (user && seteuid(sw_uid)) { 934 if (user && seteuid(sw_uid)) {
931 msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); 935 msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
932 exit (-1); 936 exit (-1);
933 } 937 }
934  938
935#ifndef HAVE_LINUX_CAPABILITIES 939#ifndef HAVE_LINUX_CAPABILITIES
936 /* 940 /*
937 * for now assume that the privilege to bind to privileged ports 941 * for now assume that the privilege to bind to privileged ports
938 * is associated with running with uid 0 - should be refined on 942 * is associated with running with uid 0 - should be refined on