projects
/
shibboleth
/
cpp-sp.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
cb48bc6
)
SSPCPP-658 - setuid/setgid fails to remove supplementary groups
author
Scott Cantor
<cantor.2@osu.edu>
Thu, 2 Jul 2015 00:43:27 +0000
(
00:43
+0000)
committer
Scott Cantor
<cantor.2@osu.edu>
Thu, 2 Jul 2015 00:43:27 +0000
(
00:43
+0000)
configure.ac
patch
|
blob
|
history
shibd/shibd.cpp
patch
|
blob
|
history
diff --git
a/configure.ac
b/configure.ac
index
86aade7
..
ea12766
100644
(file)
--- a/
configure.ac
+++ b/
configure.ac
@@
-77,7
+77,7
@@
AC_FUNC_STRFTIME
AC_FUNC_STRERROR_R
AC_CHECK_HEADERS([sys/utsname.h grp.h pwd.h])
AC_CHECK_HEADERS([sys/socket.h], [AC_DEFINE([SHIBSP_HAVE_SYS_SOCKET_H],[1],[Define to 1 if you have the <sys/socket> header file.])], [])
AC_FUNC_STRERROR_R
AC_CHECK_HEADERS([sys/utsname.h grp.h pwd.h])
AC_CHECK_HEADERS([sys/socket.h], [AC_DEFINE([SHIBSP_HAVE_SYS_SOCKET_H],[1],[Define to 1 if you have the <sys/socket> header file.])], [])
-AC_CHECK_FUNCS([strchr strdup strstr timegm gmtime_r localtime_r strtok_r strcasecmp getpwnam getgrnam])
+AC_CHECK_FUNCS([strchr strdup strstr timegm gmtime_r localtime_r strtok_r strcasecmp getpwnam getgrnam
initgroups
])
AC_CHECK_TYPES([struct sockaddr_storage], [], [], [[#include <sys/socket.h>]])
AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [], [[#include <sys/socket.h>]])
AC_CHECK_TYPES([struct sockaddr_storage], [], [], [[#include <sys/socket.h>]])
AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [], [[#include <sys/socket.h>]])
diff --git
a/shibd/shibd.cpp
b/shibd/shibd.cpp
index
c79e1dc
..
8c67563
100644
(file)
--- a/
shibd/shibd.cpp
+++ b/
shibd/shibd.cpp
@@
-349,6
+349,13
@@
int main(int argc, char *argv[])
fprintf(stderr, "getpwnam failed, check -u option\n");
return -1;
}
fprintf(stderr, "getpwnam failed, check -u option\n");
return -1;
}
+#ifdef HAVE_INITGROUPS
+ // w/out initgroups/setgroups process retains supplementary groups
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+ fprintf(stderr, "initgroups failed, check -u option\n");
+ return -1;
+ }
+#endif
if (setuid(pwd->pw_uid) != 0) {
fprintf(stderr, "setuid failed, check -u option\n");
return -1;
if (setuid(pwd->pw_uid) != 0) {
fprintf(stderr, "setuid failed, check -u option\n");
return -1;