[Zope] supplemental group ids (Linux)
Chris McDonough
chrism@digicool.com
Mon, 4 Sep 2000 19:44:14 -0400 (EDT)
Aplogies for the ignorance, but can you maybe explain the concept
of supplemental group ids and give an example of how the current unpatched
behavior could be subverted?
On 4 Sep 2000 rugger@pangea.ca wrote:
> I noticed when starting Zope as root (to get privilaged ports),
> but requesting suid to `nobody' (start -u nobody) the resulting
> processes have the correct uid and gid, but the supplemental
> group id list still has the appropriate value for root. This
> means that the Zope process could, for example, write to files
> that may belong to root.
>
> It's not clear whether this deserves a bug report, so I though
> I'd ask here instead.
>
>
> The fix is easy (and very lightly tested):
>
> 1) grab and install the supplemental gid package (for python)
> http://www.ccraig.org/software/group.c
>
> 2) patch (for 2.2.0)
>
> --- z2.py.orig Fri Jun 30 10:23:53 2000
> +++ z2.py Mon Sep 4 14:33:51 2000
> @@ -682,13 +682,20 @@
> if type(UID) == type(""):
> uid = pwd.getpwnam(UID)[2]
> gid = pwd.getpwnam(UID)[3]
> + uname = UID
> elif type(UID) == type(1):
> uid = pwd.getpwuid(UID)[2]
> gid = pwd.getpwuid(UID)[3]
> + uname = pwd.getpwuid(UID)[1]
> else:
> raise KeyError
> try:
> if gid is not None:
> + try:
> + import group
> + group.initgroups(uname, gid)
> + except:
> + pass
> try:
> os.setgid(gid)
> except OSError:
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org