summaryrefslogtreecommitdiffstats
path: root/saslauthd
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2014-02-15 23:17:43 +0100
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2014-02-15 23:17:43 +0100
commitf5ce4bf8d795d38acc033489b33f9a77bba2ae39 (patch)
tree3077deb0c08588733551412682c55c2d09dc2952 /saslauthd
parentafb2fa1b5cb7443956545578b7a5bcf61b7277a6 (diff)
downloadpykolab-f5ce4bf8d795d38acc033489b33f9a77bba2ae39.tar.gz
First ensure our socket directory is writeable, then drop privileges
Diffstat (limited to 'saslauthd')
-rw-r--r--saslauthd/__init__.py160
1 files changed, 83 insertions, 77 deletions
diff --git a/saslauthd/__init__.py b/saslauthd/__init__.py
index 69accce..d952bdb 100644
--- a/saslauthd/__init__.py
+++ b/saslauthd/__init__.py
@@ -108,78 +108,9 @@ class SASLAuthDaemon(object):
exitcode = 0
- try:
- try:
- (ruid, euid, suid) = os.getresuid()
- (rgid, egid, sgid) = os.getresgid()
- except AttributeError, errmsg:
- ruid = os.getuid()
- rgid = os.getgid()
-
- if ruid == 0:
- # Means we can setreuid() / setregid() / setgroups()
- if rgid == 0:
- # Get group entry details
- try:
- (
- group_name,
- group_password,
- group_gid,
- group_members
- ) = grp.getgrnam(conf.process_groupname)
-
- except KeyError:
- print >> sys.stderr, _("Group %s does not exist") % (
- conf.process_groupname
- )
-
- sys.exit(1)
-
- # Set real and effective group if not the same as current.
- if not group_gid == rgid:
- log.debug(
- _("Switching real and effective group id to %d") % (
- group_gid
- ),
- level=8
- )
-
- os.setregid(group_gid, group_gid)
-
- if ruid == 0:
- # Means we haven't switched yet.
- try:
- (
- user_name,
- user_password,
- user_uid,
- user_gid,
- user_gecos,
- user_homedir,
- user_shell
- ) = pwd.getpwnam(conf.process_username)
-
- except KeyError:
- print >> sys.stderr, _("User %s does not exist") % (
- conf.process_username
- )
-
- sys.exit(1)
+ self._ensure_socket_dir()
-
- # Set real and effective user if not the same as current.
- if not user_uid == ruid:
- log.debug(
- _("Switching real and effective user id to %d") % (
- user_uid
- ),
- level=8
- )
-
- os.setreuid(user_uid, user_uid)
-
- except:
- log.error(_("Could not change real and effective uid and/or gid"))
+ self._drop_privileges()
try:
pid = 1
@@ -228,12 +159,6 @@ class SASLAuthDaemon(object):
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
- utils.ensure_directory(
- '/var/run/saslauthd/',
- conf.process_username,
- conf.process_groupname
- )
-
# TODO: The saslauthd socket path could be a setting.
try:
os.remove('/var/run/saslauthd/mux')
@@ -334,3 +259,84 @@ class SASLAuthDaemon(object):
fp = open(conf.pidfile,'w')
fp.write("%d\n" % (pid))
fp.close()
+
+ def _ensure_socket_dir(self):
+ utils.ensure_directory(
+ '/var/run/saslauthd/',
+ conf.process_username,
+ conf.process_groupname
+ )
+
+ def _drop_privileges(self):
+ try:
+ try:
+ (ruid, euid, suid) = os.getresuid()
+ (rgid, egid, sgid) = os.getresgid()
+ except AttributeError, errmsg:
+ ruid = os.getuid()
+ rgid = os.getgid()
+
+ if ruid == 0:
+ # Means we can setreuid() / setregid() / setgroups()
+ if rgid == 0:
+ # Get group entry details
+ try:
+ (
+ group_name,
+ group_password,
+ group_gid,
+ group_members
+ ) = grp.getgrnam(conf.process_groupname)
+
+ except KeyError:
+ print >> sys.stderr, _("Group %s does not exist") % (
+ conf.process_groupname
+ )
+
+ sys.exit(1)
+
+ # Set real and effective group if not the same as current.
+ if not group_gid == rgid:
+ log.debug(
+ _("Switching real and effective group id to %d") % (
+ group_gid
+ ),
+ level=8
+ )
+
+ os.setregid(group_gid, group_gid)
+
+ if ruid == 0:
+ # Means we haven't switched yet.
+ try:
+ (
+ user_name,
+ user_password,
+ user_uid,
+ user_gid,
+ user_gecos,
+ user_homedir,
+ user_shell
+ ) = pwd.getpwnam(conf.process_username)
+
+ except KeyError:
+ print >> sys.stderr, _("User %s does not exist") % (
+ conf.process_username
+ )
+
+ sys.exit(1)
+
+
+ # Set real and effective user if not the same as current.
+ if not user_uid == ruid:
+ log.debug(
+ _("Switching real and effective user id to %d") % (
+ user_uid
+ ),
+ level=8
+ )
+
+ os.setreuid(user_uid, user_uid)
+
+ except:
+ log.error(_("Could not change real and effective uid and/or gid"))