openstack/swift
Code Issues Proposed changes

Call setgroups() before setuid() and setgid().

Browse Source 
Fixes bug 989569.

This patch ensures that the list of groups is completely reset when dropping
privileges.

Change-Id: I049f75e66e08a4a6361504b013bc68c4c38ef093
This commit is contained in:
Russell Bryant 2012-02-07 14:19:22 -05:00
parent 80a3cb556d
commit e90424e88b
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
swift/common/utils.py
View File

@ -465,6 +465,8 @@ def drop_privileges(user):
:param user: User name to change privileges to
"""
user = pwd.getpwnam(user)
if os.geteuid() == 0:
os.setgroups([])
os.setgid(user[3])
os.setuid(user[2])
try:

9
test/unit/common/test_utils.py
View File

@ -55,7 +55,7 @@ class MockOs():
def pass_func(self, *args, **kwargs):
pass
chdir = setsid = setgid = setuid = umask = pass_func
setgroups = chdir = setsid = setgid = setuid = umask = pass_func
def called_func(self, name, *args, **kwargs):
self.called_funcs[name] = True
@ -67,6 +67,10 @@ class MockOs():
def dup2(self, source, target):
self.closed_fds.append(target)
def geteuid(self):
'''Pretend we are running as root.'''
return 0
def __getattr__(self, name):
# I only over-ride portions of the os module
try:
@ -570,7 +574,8 @@ log_name = %(yarr)s'''
def test_drop_privileges(self):
user = getuser()
# over-ride os with mock
required_func_calls = ('setgid', 'setuid', 'setsid', 'chdir', 'umask')
required_func_calls = ('setgroups', 'setgid', 'setuid', 'setsid',
'chdir', 'umask')
utils.os = MockOs(called_funcs=required_func_calls)
# exercise the code
utils.drop_privileges(user)