Add secondary groups to user during privilege escalation
setgid provides the primary group, setgroups sets the secondary groups. Prior to this patch, we would do a setgroups with an empty list, effectively wiping secondary groups. We now verify which secondary groups the user is member of and escalate the privileges accordingly. Change-Id: I33a10edd448b3ac5aa758a8d1d70e582cf421c7d Closes-Bug: 1269473
This commit is contained in:
parent
8eabb13b8f
commit
c656e18949
@ -17,6 +17,7 @@
|
||||
|
||||
import errno
|
||||
import fcntl
|
||||
import grp
|
||||
import hmac
|
||||
import operator
|
||||
import os
|
||||
@ -1164,9 +1165,10 @@ def drop_privileges(user):
|
||||
|
||||
:param user: User name to change privileges to
|
||||
"""
|
||||
user = pwd.getpwnam(user)
|
||||
if os.geteuid() == 0:
|
||||
os.setgroups([])
|
||||
groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
|
||||
os.setgroups(groups)
|
||||
user = pwd.getpwnam(user)
|
||||
os.setgid(user[3])
|
||||
os.setuid(user[2])
|
||||
os.environ['HOME'] = user[5]
|
||||
|
@ -21,6 +21,7 @@ import ctypes
|
||||
import errno
|
||||
import eventlet
|
||||
import eventlet.event
|
||||
import grp
|
||||
import logging
|
||||
import os
|
||||
import random
|
||||
@ -960,6 +961,10 @@ log_name = %(yarr)s'''
|
||||
import pwd
|
||||
self.assertEquals(pwd.getpwnam(user)[5], utils.os.environ['HOME'])
|
||||
|
||||
groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem]
|
||||
groups.append(pwd.getpwnam(user).pw_gid)
|
||||
self.assertEquals(set(groups), set(os.getgroups()))
|
||||
|
||||
# reset; test same args, OSError trying to get session leader
|
||||
utils.os = MockOs(called_funcs=required_func_calls,
|
||||
raise_funcs=('setsid',))
|
||||
|
Loading…
Reference in New Issue
Block a user