1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
$NetBSD: patch-af,v 1.1 2010/02/04 16:22:02 taca Exp $
Fix for CVE-2009-3564.
--- lib/puppet/util/suidmanager.rb.orig 2010-02-03 01:16:24.000000000 +0000
+++ lib/puppet/util/suidmanager.rb
@@ -7,7 +7,7 @@ module Puppet::Util::SUIDManager
extend Forwardable
to_delegate_to_process = [ :euid=, :euid, :egid=, :egid,
- :uid=, :uid, :gid=, :gid ]
+ :uid=, :uid, :gid=, :gid, :groups=, :groups ]
to_delegate_to_process.each do |method|
def_delegator Process, method
@@ -26,13 +26,16 @@ module Puppet::Util::SUIDManager
# We set both because some programs like to drop privs, i.e. bash.
old_uid, old_gid = self.uid, self.gid
old_euid, old_egid = self.euid, self.egid
+ old_groups = self.groups
begin
self.egid = convert_xid :gid, new_gid if new_gid
+ self.initgroups(convert_xid(:uid, new_uid)) if new_uid
self.euid = convert_xid :uid, new_uid if new_uid
yield
ensure
self.euid, self.egid = old_euid, old_egid
+ self.groups = old_groups
end
end
module_function :asuser
@@ -49,6 +52,13 @@ module Puppet::Util::SUIDManager
end
module_function :convert_xid
+ # Initialize supplementary groups
+ def initgroups(user)
+ require 'etc'
+ Process.initgroups(Etc.getpwuid(user).name, Process.gid)
+ end
+
+ module_function :initgroups
def run_and_capture(command, new_uid=nil, new_gid=nil)
output = Puppet::Util.execute(command, :failonfail => false, :uid => new_uid, :gid => new_gid)
|
