diff options
author | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2014-02-13 12:04:24 +0100 |
---|---|---|
committer | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2014-02-13 12:04:24 +0100 |
commit | 2be10754b498289979a18b645fde2ce6b3bbe55c (patch) | |
tree | 7ca0a88a7988c9ca5ffcc57b126fd324dabb24a4 /saslauthd | |
parent | a806537852ad1d34a24abddb19be0615209fb055 (diff) | |
download | pykolab-2be10754b498289979a18b645fde2ce6b3bbe55c.tar.gz |
Make sure permissions on log files are OK, and saslauthd itself switches uid/gid too
Diffstat (limited to 'saslauthd')
-rw-r--r-- | saslauthd/__init__.py | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py index 90a7413..69accce 100644 --- a/saslauthd/__init__.py +++ b/saslauthd/__init__.py @@ -28,7 +28,9 @@ from optparse import OptionParser from ConfigParser import SafeConfigParser +import grp import os +import pwd import shutil import sys import time @@ -107,6 +109,79 @@ class SASLAuthDaemon(object): exitcode = 0 try: + try: + (ruid, euid, suid) = os.getresuid() + (rgid, egid, sgid) = os.getresgid() + except AttributeError, errmsg: + ruid = os.getuid() + rgid = os.getgid() + + if ruid == 0: + # Means we can setreuid() / setregid() / setgroups() + if rgid == 0: + # Get group entry details + try: + ( + group_name, + group_password, + group_gid, + group_members + ) = grp.getgrnam(conf.process_groupname) + + except KeyError: + print >> sys.stderr, _("Group %s does not exist") % ( + conf.process_groupname + ) + + sys.exit(1) + + # Set real and effective group if not the same as current. + if not group_gid == rgid: + log.debug( + _("Switching real and effective group id to %d") % ( + group_gid + ), + level=8 + ) + + os.setregid(group_gid, group_gid) + + if ruid == 0: + # Means we haven't switched yet. + try: + ( + user_name, + user_password, + user_uid, + user_gid, + user_gecos, + user_homedir, + user_shell + ) = pwd.getpwnam(conf.process_username) + + except KeyError: + print >> sys.stderr, _("User %s does not exist") % ( + conf.process_username + ) + + sys.exit(1) + + + # Set real and effective user if not the same as current. + if not user_uid == ruid: + log.debug( + _("Switching real and effective user id to %d") % ( + user_uid + ), + level=8 + ) + + os.setreuid(user_uid, user_uid) + + except: + log.error(_("Could not change real and effective uid and/or gid")) + + try: pid = 1 if conf.fork_mode: pid = os.fork() |