X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=secnet.c;h=e09c296bfef14bcb6a8e04cfeee58fe7bd964a73;hb=3e69b1eec376fdd75e9923b35d21dad0c37644a9;hp=efe52b356048bc2e44ca0ac93939bd6edae90bf0;hpb=3b83c93292fbf6c4e859ce513bdf54ad90733f96;p=secnet.git

diff --git a/secnet.c b/secnet.c
index efe52b3..e09c296 100644
--- a/secnet.c
+++ b/secnet.c
@@ -2,6 +2,7 @@ extern char version[];
 
 #include "secnet.h"
 #include <stdio.h>
+#include <assert.h>
 #include <string.h>
 #include <getopt.h>
 #include <errno.h>
@@ -9,6 +10,7 @@ extern char version[];
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <pwd.h>
+#include <grp.h>
 
 #include "util.h"
 #include "conffile.h"
@@ -20,6 +22,7 @@ static const char *sites_key="sites";
 bool_t just_check_config=False;
 static char *userid=NULL;
 static uid_t uid=0;
+static gid_t gid;
 bool_t background=True;
 static char *pidfile=NULL;
 bool_t require_root_privileges=False;
@@ -184,17 +187,10 @@ static void setup(dict_t *config)
     /* Who are we supposed to run as? */
     userid=dict_read_string(system,"userid",False,"system",loc);
     if (userid) {
-	do {
-	    pw=getpwent();
-	    if (pw && strcmp(pw->pw_name,userid)==0) {
-		uid=pw->pw_uid;
-		break;
-	    }
-	} while(pw);
-	endpwent();
-	if (uid==0) {
+	if(!(pw=getpwnam(userid)))
 	    fatal("userid \"%s\" not found",userid);
-	}
+	uid=pw->pw_uid;
+	gid=pw->pw_gid;
     }
 
     /* Pidfile name */
@@ -331,10 +327,18 @@ static void droppriv(void)
     }
 
     /* Now drop privileges */
-    if (uid!=0) {
+    if (userid) {
+	if (setgid(gid)!=0)
+	    fatal_perror("can't set gid to %ld",(long)gid);
+	if(initgroups(userid, gid) < 0)
+	    fatal_perror("initgroups");	
 	if (setuid(uid)!=0) {
 	    fatal_perror("can't set uid to \"%s\"",userid);
 	}
+	assert(getuid() == uid);
+	assert(geteuid() == uid);
+	assert(getgid() == gid);
+	assert(getegid() == gid);
     }
     if (background) {
 	p=fork();