From patchwork Thu Apr 11 19:01:07 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Heimpold <mhei@heimpold.de>
X-Patchwork-Id: 1084261
X-Patchwork-Delegate: dedeckeh@gmail.com
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=heimpold.de
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="pKGn1Mmc";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=heimpold.de header.i=@heimpold.de
	header.b="kSZ/ohaF"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 44g9Pg3JCnz9s5c
	for <incoming@patchwork.ozlabs.org>;
	Fri, 12 Apr 2019 05:02:15 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References:
	In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=LDvDszblcvnlfuv0TtX8gDyXKmbRajt7VITNcOXS4Wg=;
	b=pKGn1MmcUUXSbZ
	2GPOJPzp67zDvVnA9lSsF0C35Y0ygSj574LshvxgwAeUSaKSIQpAR2kl9KM0Czm8VHCHmdA2peT9E
	3tdsYaK8y+NfJGeCY8fiKmYWfQDDM96St7DIJsIoa+3gydc2rw5+oT93UvuZBQnEpJmkPYhQr2gE/
	MAq6bK2rtHbMmqElwMxN8O0WHMQ3XQEOKiox2OfcXsandDqgMthh1cm93/0zPW5GkClXwhBt5KUq6
	91ouD0OyA7WoxckfgnGcNVKCTzuzeQT93iudBXjusOZtgpZx6GjafHIYX+GVTEPtJaI5eRyfTSY9X
	tRYsfPrLa/JuEdMJq4kQ==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1hEexU-0002BQ-QS; Thu, 11 Apr 2019 19:02:00 +0000
Received: from mo6-p01-ob.smtp.rzone.de ([2a01:238:20a:202:5301::10])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1hEewo-0001Eo-66
	for openwrt-devel@lists.openwrt.org; Thu, 11 Apr 2019 19:01:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1555009272;
	s=strato-dkim-0002; d=heimpold.de;
	h=References:In-Reply-To:References:In-Reply-To:Message-Id:Date:
	Subject:Cc:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
	bh=q0cFiZZizKOEObqgYmswkD9CsNqgzuTsWsI3exuz45c=;
	b=kSZ/ohaFsYHHt+wFRCXaCStZGcNh7AUrOfjTHal5LLuThDD76dB+Q0fxYXjhedTqdv
	MFV5d3ulovUN6FW7+/JLB/umOF7Dt0TfC/5h+st573fP1IGQrfldSoy+7kQCs5KnNBX/
	0dE4lgYPSRy+mrFu9PvL5oWJNbEqlgYugFySPRfTsa0AlvyreSeZEs90lqniFdAeaPk3
	VY5jyOEWPVstTlwE1J7Fxp/E+pMO8RSxtxmP0N0x2aMDb6bVvm3Uuw4Xr87voQx0eR5a
	HcPQGDJXRoW32lMEmdvyv4Z8NQLgUfkKt0MqlQ3wgQNUqKrw7gwwP/5SfaMgkwXbkvy2
	1xtw==
X-RZG-AUTH: 
 ":O2kGeEG7b/pS1EW8QnKjhhg/vO4pzqdNytq77N6ZKUSN7PfdWTGQORRBv+ASfYPl1MuRMYWiaOxmsXvCwkD1MIXR/qnteHeLGeCatA=="
X-RZG-CLASS-ID: mo00
Received: from tonne.mhei.heimpold.itr by smtp.strato.de (RZmta 44.18 AUTH)
	with ESMTPSA id a05700v3BJ1CGqU
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve
	secp521r1 with 521 ECDH bits, eq. 15360 bits RSA))
	(Client did not present a certificate);
	Thu, 11 Apr 2019 21:01:12 +0200 (CEST)
Received: from kerker.mhei.heimpold.itr (kerker.mhei.heimpold.itr
	[192.168.8.1])
	by tonne.mhei.heimpold.itr (Postfix) with ESMTP id 8080A149E73;
	Thu, 11 Apr 2019 21:01:11 +0200 (CEST)
From: Michael Heimpold <mhei@heimpold.de>
To: openwrt-devel@lists.openwrt.org
Date: Thu, 11 Apr 2019 21:01:07 +0200
Message-Id: <20190411190111.11738-2-mhei@heimpold.de>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <cover.1553898011.git.mhei@heimpold.de>
References: <cover.1553898011.git.mhei@heimpold.de>
In-Reply-To: <cover.1553898011.git.mhei@heimpold.de>
References: <cover.1553898011.git.mhei@heimpold.de>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190411_120118_374976_D9E737B5 
X-CRM114-Status: GOOD (  11.21  )
X-Spam-Score: -0.9 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (-0.9 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
	low trust [2a01:238:20a:202:5301:0:0:10 listed in]
	[list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
	envelope-from domain
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
Subject: [OpenWrt-Devel] [PATCH procd 2/4] service: allow setting a
	dedicated group id
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Hans Dedecker <dedeckeh@gmail.com>, Michael Heimpold <mhei@heimpold.de>
MIME-Version: 1.0
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Sometimes is desirable to run a process with a specific group id
instead of the default one which is derived from passwd entry.

However, we still want to initialize supplementary group ids
(including the default one), thus we have to store the specific
one in a dedicated structure element.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
---
 service/instance.c | 25 ++++++++++++++++++++-----
 service/instance.h |  4 +++-
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/service/instance.c b/service/instance.c
index d37d872..d8bd52e 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -50,6 +50,7 @@ enum {
 	INSTANCE_ATTR_WATCH,
 	INSTANCE_ATTR_ERROR,
 	INSTANCE_ATTR_USER,
+	INSTANCE_ATTR_GROUP,
 	INSTANCE_ATTR_STDOUT,
 	INSTANCE_ATTR_STDERR,
 	INSTANCE_ATTR_NO_NEW_PRIVS,
@@ -76,6 +77,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {
 	[INSTANCE_ATTR_WATCH] = { "watch", BLOBMSG_TYPE_ARRAY },
 	[INSTANCE_ATTR_ERROR] = { "error", BLOBMSG_TYPE_ARRAY },
 	[INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING },
+	[INSTANCE_ATTR_GROUP] = { "group", BLOBMSG_TYPE_STRING },
 	[INSTANCE_ATTR_STDOUT] = { "stdout", BLOBMSG_TYPE_BOOL },
 	[INSTANCE_ATTR_STDERR] = { "stderr", BLOBMSG_TYPE_BOOL },
 	[INSTANCE_ATTR_NO_NEW_PRIVS] = { "no_new_privs", BLOBMSG_TYPE_BOOL },
@@ -364,12 +366,12 @@ instance_run(struct service_instance *in, int _stdout, int _stderr)
 		closefd(_stderr);
 	}
 
-	if (in->user && in->gid && initgroups(in->user, in->gid)) {
+	if (in->user && in->pw_gid && initgroups(in->user, in->pw_gid)) {
 		ERROR("failed to initgroups() for user %s: %m\n", in->user);
 		exit(127);
 	}
-	if (in->gid && setgid(in->gid)) {
-		ERROR("failed to set group id %d: %m\n", in->gid);
+	if (in->gr_gid && setgid(in->gr_gid)) {
+		ERROR("failed to set group id %d: %m\n", in->gr_gid);
 		exit(127);
 	}
 	if (in->uid && setuid(in->uid)) {
@@ -650,10 +652,13 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
 	if (string_changed(in->user, in_new->user))
 		return true;
 
+	if (string_changed(in->group, in_new->group))
+		return true;
+
 	if (in->uid != in_new->uid)
 		return true;
 
-	if (in->gid != in_new->gid)
+	if (in->pw_gid != in_new->pw_gid)
 		return true;
 
 	if (string_changed(in->pidfile, in_new->pidfile))
@@ -909,7 +914,16 @@ instance_config_parse(struct service_instance *in)
 		if (p) {
 			in->user = strdup(user);
 			in->uid = p->pw_uid;
-			in->gid = p->pw_gid;
+			in->gr_gid = in->pw_gid = p->pw_gid;
+		}
+	}
+
+	if (tb[INSTANCE_ATTR_GROUP]) {
+		const char *group = blobmsg_get_string(tb[INSTANCE_ATTR_GROUP]);
+		struct group *p = getgrnam(group);
+		if (p) {
+			in->group = strdup(group);
+			in->gr_gid = p->gr_gid;
 		}
 	}
 
@@ -1038,6 +1052,7 @@ instance_free(struct service_instance *in)
 	instance_config_cleanup(in);
 	free(in->config);
 	free(in->user);
+	free(in->group);
 	free(in);
 }
 
diff --git a/service/instance.h b/service/instance.h
index 9300d32..42cc4be 100644
--- a/service/instance.h
+++ b/service/instance.h
@@ -44,7 +44,9 @@ struct service_instance {
 
 	char *user;
 	uid_t uid;
-	gid_t gid;
+	gid_t pw_gid;
+	char *group;
+	gid_t gr_gid;
 
 	bool halt;
 	bool restart;