[Zope] supplemental group ids (Linux)
Chris McDonough
chrism@digicool.com
Tue, 5 Sep 2000 22:05:12 -0400 (EDT)
After some digging, it appears that this is a really good find. Thanks
very much for reporting it. I am going to add a collector item with your
message verbatim.
Thanks very much!
- C
On 4 Sep 2000 rugger@pangea.ca wrote:
> I noticed when starting Zope as root (to get privilaged ports),
> but requesting suid to `nobody' (start -u nobody) the resulting
> processes have the correct uid and gid, but the supplemental
> group id list still has the appropriate value for root. This
> means that the Zope process could, for example, write to files
> that may belong to root.
>
> It's not clear whether this deserves a bug report, so I though
> I'd ask here instead.
>
>
> The fix is easy (and very lightly tested):
>
> 1) grab and install the supplemental gid package (for python)
> http://www.ccraig.org/software/group.c
>
> 2) patch (for 2.2.0)
>
> --- z2.py.orig Fri Jun 30 10:23:53 2000
> +++ z2.py Mon Sep 4 14:33:51 2000
> @@ -682,13 +682,20 @@
> if type(UID) == type(""):
> uid = pwd.getpwnam(UID)[2]
> gid = pwd.getpwnam(UID)[3]
> + uname = UID
> elif type(UID) == type(1):
> uid = pwd.getpwuid(UID)[2]
> gid = pwd.getpwuid(UID)[3]
> + uname = pwd.getpwuid(UID)[1]
> else:
> raise KeyError
> try:
> if gid is not None:
> + try:
> + import group
> + group.initgroups(uname, gid)
> + except:
> + pass
> try:
> os.setgid(gid)
> except OSError:
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org