Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix FreeBSD credentials #40

Open
berekuk opened this issue Jun 19, 2012 · 5 comments
Open

Fix FreeBSD credentials #40

berekuk opened this issue Jun 19, 2012 · 5 comments
Labels

Comments

@berekuk
Copy link
Owner

berekuk commented Jun 19, 2012

Ubic::Credentials::POSIX doesn't work on FreeBSD. It has something to do with the order of setting effective and real uid (and also gids).

I tried to fix it in 1.39, but turned out perl activates the tainted mode in this case, so since 1.43 release we're back at "works on linux and broken on freebsd".
It works fine on MacOSX, though.

@citrin
Copy link

citrin commented Nov 2, 2012

Why don't use POSIX::setuid() to set effective and real uids in one call? It should work on most posix systems.

@berekuk
Copy link
Owner Author

berekuk commented Nov 2, 2012

This might work, thanks, I didn't know about it.
As far as I remember, the issue also about the order of real/effective group assignments. I see that there is POSIX::setgid, but it doesn't support complementary groups.

@citrin
Copy link

citrin commented Nov 8, 2012

Yes it is not easy to set complementary groups, because there is no getgrent in POSIX module.

But settings complementary is non-obvious and in most cases not expected feature.

If in config written:
user = foo
group = bar
It is not obvious (yet documented), that complementary groups for user foo will be used.

If complementary is explicitly set in config, it is possible to set credential under FreeBSD with code like this:

use POSIX;

my $user = 'citrin';
my @groups = qw(citrin quagga);

my $gid = (getgrnam $groups[0])[2];
my $groups = join ' ', map { (getgrnam $_)[2] } @groups;

$) = $gid.' '.$groups;

setgid($gid) or die $!;

setuid( (getpwnam($user))[2] ) or die $!;

@berekuk
Copy link
Owner Author

berekuk commented Nov 8, 2012

It is not obvious (yet documented), that complementary groups for user foo will be used.

Wait, where is it documented? Ubic uses main/complementary groups of user only if no groups are explicitly specified.

Thank you for the code sample. I'll try to check if it works on all platforms.

BTW, my long-term plan is to separate credentials code into a separate distribution (OS::Credentials?). I hope to get to it in the next couple of releases.

@citrin
Copy link

citrin commented Nov 8, 2012

Wait, where is it documented? Ubic uses main/complementary groups of user only if no groups are explicitly specified.

Yes, may fault, I misread the doc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants