diff options
author | Michael Stone <michael@laptop.org> | 2009-04-12 08:27:43 (GMT) |
---|---|---|
committer | Michael Stone <michael@laptop.org> | 2009-04-12 08:27:43 (GMT) |
commit | 4cb3c824c551be9d6379d851a7090ec2e8ebd673 (patch) | |
tree | 1dbeceb8e819998a04849410c95ff493a7affbd8 /rainbow | |
parent | bf8af14d62c53e0307bd08e7023ddc9a7bb67ce7 (diff) |
Correctly add auxiliary groups.
Also ensure that owning uids are members of data groups that they join.
Diffstat (limited to 'rainbow')
-rw-r--r-- | rainbow/rainbow/inject.py | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py index a8812f3..0b01f3b 100644 --- a/rainbow/rainbow/inject.py +++ b/rainbow/rainbow/inject.py @@ -60,6 +60,7 @@ def reserve_group(log, spool, owner_uid, uid, group): # Only join groups that we own. assert readlink(owner_path) == str(owner_uid) open(join(map_dir, str(uid)), 'w').close() + open(join(map_dir, str(getpwuid(owner_uid).pw_name)), 'w').close() return gid def grab_home(_, spool, uid, __, owner_gid): @@ -200,23 +201,26 @@ def check_home(uid, gid, home): ck = Checker(home, uid, gid) assert ck.positive(R_OK | W_OK | X_OK, S_IFDIR) -def maybe_add_gid(owner_uid, gid): +def maybe_add_gid(log, owner_uid, gid): # rainbow should only let you drop privilege. - return getpwuid(owner_uid).pw_name in getgrgid(gid).gr_mem + owner = getpwuid(owner_uid).pw_name + members = getgrgid(gid).gr_mem + log(1, "maybe_add_gid owner: %s members: %s result: %s", owner, members, owner in members) + return owner in members def configure_groups(log, owner_uid, groups, gid, data_group_to_gid, pset): groups.insert(0, gid) for _, data_gid in data_group_to_gid: - if maybe_add_gid(owner_uid, data_gid): - groups.insert(data_gid) + if maybe_add_gid(log, owner_uid, data_gid): + groups.insert(0, data_gid) for cap in ("audio", "video", "serial"): try: if pset.has_permission(cap): cap_gid = getgrnam(cap).gr_gid - if maybe_add_gid(owner_uid, cap_gid): - groups.insert(cap_gid) + if maybe_add_gid(log, owner_uid, cap_gid): + groups.insert(0, cap_gid) except Exception, e: log(1, "Skipping permission (%s) because of (%s).", cap, e) return list(set(groups)) |