From 0e441354f830f86ff80dab9337fc5bdc033cf687 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Mon, 3 Sep 2007 15:59:08 +0200 Subject: [PATCH] exec plugin: Set the real group, effective group, and real and effective user. In that order. The manpage and the config template have been updated. --- src/collectd-exec.pod | 4 ++-- src/collectd.conf.in | 2 +- src/collectd.conf.pod | 12 +++++++++--- src/exec.c | 34 +++++++++++++++++++++++++--------- 4 files changed, 37 insertions(+), 15 deletions(-) diff --git a/src/collectd-exec.pod b/src/collectd-exec.pod index eaa4f8b4..27d0eedc 100644 --- a/src/collectd-exec.pod +++ b/src/collectd-exec.pod @@ -8,8 +8,8 @@ collectd-exec - Documentation of collectd's C LoadPlugin exec # ... - Exec myuser myprog - Exec otheruser /path/to/another/binary + Exec "myuser:mygroup" "myprog" + Exec "otheruser" "/path/to/another/binary" =head1 DESCRIPTION diff --git a/src/collectd.conf.in b/src/collectd.conf.in index 313fd914..af2db91a 100644 --- a/src/collectd.conf.in +++ b/src/collectd.conf.in @@ -93,7 +93,7 @@ # # -# Exec user "/path/to/exec" +# Exec "user:group" "/path/to/exec" # # diff --git a/src/collectd.conf.pod b/src/collectd.conf.pod index 3de2f243..29e26af4 100644 --- a/src/collectd.conf.pod +++ b/src/collectd.conf.pod @@ -249,9 +249,15 @@ output that is expected from it. =item B I[:[I]] I Execute the executable I as user I. If the user name is -followed by a colon and a group name, the program is executed as the specified -group. If only the colon follows the user name the group defaults to the -user's login group. +followed by a colon and a group name, the effective group is set to that group. +The real group and saved-set group will be set to the default group of that +user. If no group is given the effective group ID will be the same as the real +group ID. + +Please note that in order to change the user and/or group the daemon needs +superuser privileges. If the daemon is run as an unprivileged user you must +specify the same user/group here. If the daemon is run with superuser +privileges, you must supply a non-root user here. =back diff --git a/src/exec.c b/src/exec.c index e899a1c3..d9f2d8ce 100644 --- a/src/exec.c +++ b/src/exec.c @@ -118,6 +118,7 @@ static void exec_child (program_list_t *pl) int status; int uid; int gid; + int egid; char *arg0; struct passwd *sp_ptr; @@ -140,12 +141,16 @@ static void exec_child (program_list_t *pl) } uid = sp.pw_uid; + gid = sp.pw_gid; if (uid == 0) { ERROR ("exec plugin: Cowardly refusing to exec program as root."); exit (-1); } + /* The group configured in the configfile is set as effective group, because + * this way the forked process can (re-)gain the user's primary group. */ + egid = -1; if (NULL != pl->group) { if ('\0' != *pl->group) { @@ -165,27 +170,38 @@ static void exec_child (program_list_t *pl) exit (-1); } - gid = gr.gr_gid; + egid = gr.gr_gid; } else { - gid = sp.pw_gid; + egid = gid; } + } /* if (pl->group == NULL) */ + + status = setgid (gid); + if (status != 0) + { + ERROR ("exec plugin: setgid (%i) failed: %s", + gid, sstrerror (errno, errbuf, sizeof (errbuf))); + exit (-1); + } - status = setgid (gid); - if (0 != status) + if (egid != -1) + { + status = setegid (egid); + if (status != 0) { - ERROR ("exec plugin: setgid failed: %s", - sstrerror (errno, errbuf, sizeof (errbuf))); + ERROR ("exec plugin: setegid (%i) failed: %s", + egid, sstrerror (errno, errbuf, sizeof (errbuf))); exit (-1); } - } /* if (pl->group == NULL) */ + } status = setuid (uid); if (status != 0) { - ERROR ("exec plugin: setuid failed: %s", - sstrerror (errno, errbuf, sizeof (errbuf))); + ERROR ("exec plugin: setuid (%i) failed: %s", + uid, sstrerror (errno, errbuf, sizeof (errbuf))); exit (-1); } -- 2.11.0