[Spread-users] setuid/chroot doesn't work in Mac OS X
Mike Laster
mike at marketocracy.com
Thu Sep 26 18:02:04 EDT 2002
The default implementation doesn't seem to properly setuid/chroot under
OS X.
I found that this fix works:
*** spread.c 2002/08/07 15:56:43 1.1
--- spread.c 2002/09/26 21:57:36
***************
*** 167,173 ****
|| (pwd = getpwnam(SP_USER)) == NULL
|| chdir(SP_RUNTIME_DIR) < 0
|| chroot(SP_RUNTIME_DIR) < 0
! || setgroups(0, 0) < 0
|| setgid(grp->gr_gid) < 0
|| setuid(pwd->pw_uid) < 0)
{
--- 167,173 ----
|| (pwd = getpwnam(SP_USER)) == NULL
|| chdir(SP_RUNTIME_DIR) < 0
|| chroot(SP_RUNTIME_DIR) < 0
! || setgroups(1, &grp->gr_gid) < 0
|| setgid(grp->gr_gid) < 0
|| setuid(pwd->pw_uid) < 0)
{
Apparently the BSD flavor of setgroups doesn't like (0,0) parameters,
it dies with an errno 22 (invalid argument)
but if I switch it to setgroups(1, &grp->gr_gid), it is happy.
This should be just as secure. I have mine configured to run as
nobody/nobody, so this setgroups() should set
the group membership to the 'nobody' group. Are there any potential
security holes in this patch that I'm not
seeing?
More information about the Spread-users
mailing list