}
/* we have caps, we have no need to ever change back the original user */
- if (zprivs_state.zuid)
+ /* only change uid if we don't have the correct one */
+ if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
{
if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
{
/* we have caps, we have no need to ever change back the original user
* change real, effective and saved to the specified user.
*/
- if (zprivs_state.zuid)
+ /* only change uid if we don't have the correct one */
+ if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
{
if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
{
int
zprivs_change_uid (zebra_privs_ops_t op)
{
-
+ if (zprivs_state.zsuid == zprivs_state.zuid)
+ return 0;
if (op == ZPRIVS_RAISE)
return seteuid (zprivs_state.zsuid);
else if (op == ZPRIVS_LOWER)
}
}
- if (ngroups)
+ /* add groups only if we changed uid - otherwise skip */
+ if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid))
{
if ( setgroups (ngroups, groups) )
{
}
}
- if (zprivs_state.zgid)
+ /* change gid only if we changed uid - otherwise skip */
+ if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid))
{
/* change group now, forever. uid we do later */
if ( setregid (zprivs_state.zgid, zprivs_state.zgid) )
* This is not worth that much security wise, but all we can do.
*/
zprivs_state.zsuid = geteuid();
- if ( zprivs_state.zuid )
+ /* only change uid if we don't have the correct one */
+ if (( zprivs_state.zuid ) && (zprivs_state.zsuid != zprivs_state.zuid))
{
if ( setreuid (-1, zprivs_state.zuid) )
{
#ifdef HAVE_CAPABILITIES
zprivs_caps_terminate();
#else /* !HAVE_CAPABILITIES */
- if (zprivs_state.zuid)
+ /* only change uid if we don't have the correct one */
+ if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
{
if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
{
umask (old_mask);
zprivs_get_ids(&ids);
-
- if (ids.gid_vty > 0)
+
+ /* Hack: ids.gid_vty is actually a uint, but we stored -1 in it
+ earlier for the case when we don't need to chown the file
+ type casting it here to make a compare */
+ if ((int)ids.gid_vty > 0)
{
/* set group of socket */
if ( chown (path, -1, ids.gid_vty) )