From 4df0316c5b609a2a609d9c6a6cd539ded33351d6 Mon Sep 17 00:00:00 2001 From: alex Date: Wed, 28 Nov 2007 15:11:51 +0000 Subject: - [ZBX-189] fixed super-user permissions of user commands (Alexei) [svn merge -r5109:5113 svn://svn.zabbix.com/branches/1.4] git-svn-id: svn://svn.zabbix.com/trunk@5114 97f52cf1-0a1b-0410-bd0e-c28be96e8082 --- ChangeLog | 1 + configure.in | 17 ++++++++++++++++- include/sysinc.h | 4 ++++ src/libs/zbxnix/daemon.c | 28 ++++++++++++++++++++++++---- 4 files changed, 45 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62989d34..6a4fab8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ Changes for 1.5: Changes for 1.4.3: + - [ZBX-189] fixed super-user permissions of user commands (Alexei) - [ZBX-183] fixed compilation problem with undefined res_query() (Alexei) - [ZBX-34] fixed transaction related conflict in DBget_maxid (Sasha) - [ZBX-181] fixed Activate/Disable items from applications (Artem) diff --git a/configure.in b/configure.in index 975af179..d0fba507 100644 --- a/configure.in +++ b/configure.in @@ -50,7 +50,7 @@ AC_CHECK_HEADERS(stdio.h stdlib.h string.h unistd.h netdb.h signal.h \ nlist.h net/if.h kvm.h linux/kernel.h ldap.h getopt.h procinfo.h sys/dk.h \ sys/resource.h pthread.h windows.h process.h conio.h sys/wait.h regex.h \ stdarg.h winsock2.h pdh.h psapi.h sys/sem.h sys/ipc.h sys/shm.h Winldap.h \ - sys/timeb.h Winber.h lber.h ws2tcpip.h inttypes.h sys/file.h) + sys/timeb.h Winber.h lber.h ws2tcpip.h inttypes.h sys/file.h grp.h) dnl Checks for typedefs, structures, and compiler characteristics. AC_C_CONST @@ -430,6 +430,21 @@ AC_DEFINE(HAVE_FUNCTION_SYSCTL_KERN_MAXPROC,1,[Define to 1 if 'KERN_MAXPROC' exi AC_MSG_RESULT(yes), AC_MSG_RESULT(no)) +dnl Check for function initgroups() +AC_MSG_CHECKING(for function initgroups()) +AC_TRY_LINK( +[ + #include + #include +], +[ + char *user="zabbix"; + initgroups(user, 0); +], +AC_DEFINE(HAVE_FUNCTION_INITGROUPS,1,[Define to 1 if function 'initgroups' exists.]) +AC_MSG_RESULT(yes), +AC_MSG_RESULT(no)) + dnl Check for function seteuid() AC_MSG_CHECKING(for function seteuid()) AC_TRY_LINK( diff --git a/include/sysinc.h b/include/sysinc.h index 34211823..72ab0964 100644 --- a/include/sysinc.h +++ b/include/sysinc.h @@ -73,6 +73,10 @@ # include #endif +#ifdef HAVE_GRP_H +# include +#endif + #ifdef HAVE_SYS_TYPES_H # include #endif diff --git a/src/libs/zbxnix/daemon.c b/src/libs/zbxnix/daemon.c index f6a94ec0..41990b5a 100644 --- a/src/libs/zbxnix/daemon.c +++ b/src/libs/zbxnix/daemon.c @@ -90,20 +90,40 @@ int daemon_start(int allow_root) pid_t pid; struct passwd *pwd; struct sigaction phan; + char user[7] = "zabbix"; /* running as root ?*/ if((0 == allow_root) && (0 == getuid() || 0 == getgid())) { - pwd = getpwnam("zabbix"); + pwd = getpwnam(user); if (NULL == pwd) { - zbx_error("User zabbix does not exist."); + zbx_error("User %s does not exist.", + user); zbx_error("Cannot run as root !"); exit(FAIL); } - if( (setgid(pwd->pw_gid) ==-1) || (setuid(pwd->pw_uid) == -1) ) + if(setgid(pwd->pw_gid) ==-1) { - zbx_error("Cannot setgid or setuid to zabbix [%s].", strerror(errno)); + zbx_error("Cannot setgid to %s [%s].", + user, + strerror(errno)); + exit(FAIL); + } +#ifdef HAVE_FUNCTION_SETEUID + if(initgroups(user, pwd->pw_gid) == -1) + { + zbx_error("Cannot initgroups to %s [%s].", + user, + strerror(errno)); + exit(FAIL); + } +#endif /* HAVE_FUNCTION_INITGROUPS */ + if(setuid(pwd->pw_uid) == -1) + { + zbx_error("Cannot setuid to %s [%s].", + user, + strerror(errno)); exit(FAIL); } -- cgit