summaryrefslogtreecommitdiffstats
path: root/saslauthd
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2014-02-13 12:04:24 +0100
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2014-02-13 12:04:24 +0100
commit2be10754b498289979a18b645fde2ce6b3bbe55c (patch)
tree7ca0a88a7988c9ca5ffcc57b126fd324dabb24a4 /saslauthd
parenta806537852ad1d34a24abddb19be0615209fb055 (diff)
downloadpykolab-2be10754b498289979a18b645fde2ce6b3bbe55c.tar.gz
Make sure permissions on log files are OK, and saslauthd itself switches uid/gid too
Diffstat (limited to 'saslauthd')
-rw-r--r--saslauthd/__init__.py75
1 files changed, 75 insertions, 0 deletions
diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py
index 90a7413..69accce 100644
--- a/saslauthd/__init__.py
+++ b/saslauthd/__init__.py
@@ -28,7 +28,9 @@
from optparse import OptionParser
from ConfigParser import SafeConfigParser
+import grp
import os
+import pwd
import shutil
import sys
import time
@@ -107,6 +109,79 @@ class SASLAuthDaemon(object):
exitcode = 0
try:
+ try:
+ (ruid, euid, suid) = os.getresuid()
+ (rgid, egid, sgid) = os.getresgid()
+ except AttributeError, errmsg:
+ ruid = os.getuid()
+ rgid = os.getgid()
+
+ if ruid == 0:
+ # Means we can setreuid() / setregid() / setgroups()
+ if rgid == 0:
+ # Get group entry details
+ try:
+ (
+ group_name,
+ group_password,
+ group_gid,
+ group_members
+ ) = grp.getgrnam(conf.process_groupname)
+
+ except KeyError:
+ print >> sys.stderr, _("Group %s does not exist") % (
+ conf.process_groupname
+ )
+
+ sys.exit(1)
+
+ # Set real and effective group if not the same as current.
+ if not group_gid == rgid:
+ log.debug(
+ _("Switching real and effective group id to %d") % (
+ group_gid
+ ),
+ level=8
+ )
+
+ os.setregid(group_gid, group_gid)
+
+ if ruid == 0:
+ # Means we haven't switched yet.
+ try:
+ (
+ user_name,
+ user_password,
+ user_uid,
+ user_gid,
+ user_gecos,
+ user_homedir,
+ user_shell
+ ) = pwd.getpwnam(conf.process_username)
+
+ except KeyError:
+ print >> sys.stderr, _("User %s does not exist") % (
+ conf.process_username
+ )
+
+ sys.exit(1)
+
+
+ # Set real and effective user if not the same as current.
+ if not user_uid == ruid:
+ log.debug(
+ _("Switching real and effective user id to %d") % (
+ user_uid
+ ),
+ level=8
+ )
+
+ os.setreuid(user_uid, user_uid)
+
+ except:
+ log.error(_("Could not change real and effective uid and/or gid"))
+
+ try:
pid = 1
if conf.fork_mode:
pid = os.fork()