From c656e1894918d774fa841214f2e00af8a4a66b44 Mon Sep 17 00:00:00 2001 From: David Moreau Simard Date: Mon, 20 Jan 2014 13:30:58 -0500 Subject: [PATCH] Add secondary groups to user during privilege escalation setgid provides the primary group, setgroups sets the secondary groups. Prior to this patch, we would do a setgroups with an empty list, effectively wiping secondary groups. We now verify which secondary groups the user is member of and escalate the privileges accordingly. Change-Id: I33a10edd448b3ac5aa758a8d1d70e582cf421c7d Closes-Bug: 1269473 --- swift/common/utils.py | 6 ++++-- test/unit/common/test_utils.py | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/swift/common/utils.py b/swift/common/utils.py index fc76be1e6d..de7384ca5b 100644 --- a/swift/common/utils.py +++ b/swift/common/utils.py @@ -17,6 +17,7 @@ import errno import fcntl +import grp import hmac import operator import os @@ -1164,9 +1165,10 @@ def drop_privileges(user): :param user: User name to change privileges to """ - user = pwd.getpwnam(user) if os.geteuid() == 0: - os.setgroups([]) + groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem] + os.setgroups(groups) + user = pwd.getpwnam(user) os.setgid(user[3]) os.setuid(user[2]) os.environ['HOME'] = user[5] diff --git a/test/unit/common/test_utils.py b/test/unit/common/test_utils.py index db2c9ba3bb..d84b2e09ae 100644 --- a/test/unit/common/test_utils.py +++ b/test/unit/common/test_utils.py @@ -21,6 +21,7 @@ import ctypes import errno import eventlet import eventlet.event +import grp import logging import os import random @@ -960,6 +961,10 @@ log_name = %(yarr)s''' import pwd self.assertEquals(pwd.getpwnam(user)[5], utils.os.environ['HOME']) + groups = [g.gr_gid for g in grp.getgrall() if user in g.gr_mem] + groups.append(pwd.getpwnam(user).pw_gid) + self.assertEquals(set(groups), set(os.getgroups())) + # reset; test same args, OSError trying to get session leader utils.os = MockOs(called_funcs=required_func_calls, raise_funcs=('setsid',))