tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1From 1b5da9c7c5423eed7a567a02e66c244705116724 Mon Sep 17 00:00:00 2001
2From: networkException <git@nwex.de>
3Date: Thu, 30 May 2024 02:07:04 +0200
4Subject: [PATCH] Don't call `setgroups` unconditionally in mainrelay
5
6This patch moves the call to `setgroups` from the beginning of the
7`drop_priviliges` function to branch in which `setuid` is actually
8called. This still fulfills the intention of
9acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a, initially introducting
10the call to `setgroups`:
11
12> Fix related to POS36-C and rpmlint error
13> "missing-call-to-setgroups-before-setuid".
14
15As per this intention is is not required to call `setgroups`
16otherwise, reducing the more exotic (as in not part of POSIX and
17considered priviliged by systemd) system calls coturn needs to make
18at startup.
19---
20 src/apps/relay/mainrelay.c | 6 +++++-
21 1 file changed, 5 insertions(+), 1 deletion(-)
22
23diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
24index cf370ec8a..56eaf82d0 100644
25--- a/src/apps/relay/mainrelay.c
26+++ b/src/apps/relay/mainrelay.c
27@@ -2913,7 +2913,6 @@ static void drop_privileges(void) {
28 #if defined(WINDOWS)
29 // TODO: implement it!!!
30 #else
31- setgroups(0, NULL);
32 if (procgroupid_set) {
33 if (getgid() != procgroupid) {
34 if (setgid(procgroupid) != 0) {
35@@ -2929,6 +2928,11 @@ static void drop_privileges(void) {
36
37 if (procuserid_set) {
38 if (procuserid != getuid()) {
39+ if (setgroups(0, NULL) != 0) {
40+ perror("setgroups: Unable drop supplementary groups");
41+ exit(-1);
42+ }
43+
44 if (setuid(procuserid) != 0) {
45 perror("setuid: Unable to change user privileges");
46 exit(-1);