.BR /var/lib/nfs/state ,
and updated by
.BR sm-notify .
+.SS Security
+.B sm-notify
+has little need for root privileges and so drops them as soon as
+possible.
+It continues to need to make changes to the
+.B sm
+and
+.B sm.bak
+directories so to be able to drop privileges, these must be writable
+by a non-privileged user. If these directories are owned by a
+non-root user,
+.B sm-notify
+will drop privilege to match that user once it has created sockets for
+sending out request (for which it needs privileged) but before it
+processes any reply (which is the most likely source of possible
+privilege abuse).
.SH OPTIONS
.TP
.BI -m " failtime
static int host_lookup(int, const char *, nsm_address *);
void nsm_log(int fac, const char *fmt, ...);
static int record_pid();
+static void drop_privs(void);
static struct nsm_host * hosts = NULL;
if (opt_max_retry)
failtime = time(NULL) + opt_max_retry;
+ drop_privs();
+
while (hosts) {
struct pollfd pfd;
time_t now = time(NULL);
close(fd);
return 1;
}
+
+/* Drop privileges to match owner of state-directory
+ * (in case a reply triggers some unknown bug).
+ */
+static void drop_privs(void)
+{
+ struct stat st;
+
+ if (stat(_SM_DIR_PATH, &st) == -1 &&
+ stat(_SM_BASE_PATH, &st) == -1) {
+ st.st_uid = 0;
+ st.st_gid = 0;
+ }
+
+ if (st.st_uid == 0) {
+ nsm_log(LOG_WARNING,
+ "sm-notify running as root. chown %s to choose different user\n",
+ _SM_DIR_PATH);
+ return;
+ }
+
+ setgroups(0, NULL);
+ if (setgid(st.st_gid) == -1
+ || setuid(st.st_uid) == -1) {
+ nsm_log(LOG_ERR, "Fail to drop privileges");
+ exit(1);
+ }
+}
projects / nfs-utils.git / commitdiff