Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Lack of compatibility in Cpanel's wrappers

Discussion in 'General Discussion' started by Martini-man, Jul 24, 2006.

  1. Martini-man

    Martini-man Member

    Dec 23, 2003
    Likes Received:
    Trophy Points:
    When creating a wrapper starting on root and dropping to a certain unprivileged
    user, one should be careful not only when dealing with user and group IDs
    (setreuid(),setregid()) but also while handling the groups from which the user
    is a member (setgroups()).
    If we pick a SUID program (like bin/cpwrap) and just do a setregid(something,
    something);setreuid(something, something);execve(...); we are misregarding the
    other groups, thus the program executed by execve() will have the groups
    belonging to root. At first sight this might not be very bad, but from some
    security application's point of view, this is an unforgivable mistake, as some
    security programs use the groups in which a user is member to check whether to
    allow or block certain operations.
    You could address this issue, by using something like this function:
    fix_groups (char * who)
    struct group * gr;
    gid_t * groups;
    int i=0;
    char ** p;

    while (gr = getgrent ())
    for (p=gr->gr_mem; *p; *(p++))
    if (!strcmp (*p, who))
    groups = (!i) ? (gid_t *) malloc (sizeof (gid_t)) : (gid_t *)
    realloc (groups, (i+1) * sizeof (gid_t));
    if (groups == NULL)
    return -1
    groups = gr->gr_gid;
    return setgroups (i, groups);

    Best regards,
    Fernando Magro.

    ------- Comment #1 From Fernando Magro 2006-07-21 14:38 [reply] -------

    Oh, I forgot to mention.
    The *hack* I posted is for Linux only and the fix_groups() function is just for
    you to understand what initgroups() does.
    Thus, you could just use initgroups() in your wrappers, and everything would be
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    If this is meant for cPanel's attention, then you should post it to bugzilla, not here.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice