From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Thompson Subject: [DMD] [PATCH] service: Change gid before uid when dropping privileges. Date: Thu, 03 Dec 2015 10:37:55 -0500 Message-ID: <871tb3tuek.fsf@izanagi.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43853) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a4VxL-0003mG-Al for guix-devel@gnu.org; Thu, 03 Dec 2015 10:38:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a4VxF-0006yw-IV for guix-devel@gnu.org; Thu, 03 Dec 2015 10:38:03 -0500 Received: from mail-qg0-x235.google.com ([2607:f8b0:400d:c04::235]:34744) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a4VxF-0006yq-BX for guix-devel@gnu.org; Thu, 03 Dec 2015 10:37:57 -0500 Received: by qgeb1 with SMTP id b1so63830282qge.1 for ; Thu, 03 Dec 2015 07:37:57 -0800 (PST) Received: from izanagi ([38.88.209.18]) by smtp.gmail.com with ESMTPSA id z64sm3464972qhd.41.2015.12.03.07.37.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Dec 2015 07:37:56 -0800 (PST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Found this little order of operations issue when trying to button up the Transmission service. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-service-Change-gid-before-uid-when-dropping-privileg.patch >From 552eafe882e3c059525e79c0f222becb9d73eb93 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Thu, 3 Dec 2015 10:09:34 -0500 Subject: [PATCH] service: Change gid before uid when dropping privileges. --- modules/dmd/service.scm | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/dmd/service.scm b/modules/dmd/service.scm index aece069..34826b1 100644 --- a/modules/dmd/service.scm +++ b/modules/dmd/service.scm @@ -614,23 +614,25 @@ false." (catch-system-error (close-fdes i)) (loop (+ i 1))))) - (when user + ;; setgid must be done *before* setuid, otherwise the user will + ;; likely no longer have permissions to setgid. + (when group (catch #t (lambda () - (setuid (passwd:uid (getpw user)))) + (setgid (group:gid (getgr group)))) (lambda (key . args) (format (current-error-port) - "failed to change to user ~s:~%" user) + "failed to change to group ~s:~%" group) (print-exception (current-error-port) #f key args) (primitive-exit 1)))) - (when group + (when user (catch #t (lambda () - (setgid (group:gid (getgr group)))) + (setuid (passwd:uid (getpw user)))) (lambda (key . args) (format (current-error-port) - "failed to change to group ~s:~%" group) + "failed to change to user ~s:~%" user) (print-exception (current-error-port) #f key args) (primitive-exit 1)))) -- 2.5.0 --=-=-= Content-Type: text/plain -- David Thompson GPG Key: 0FF1D807 --=-=-=--