lib: Don't change uid/gid if we are already the correct uid/gid

Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>

diff --git a/lib/privs.c b/lib/privs.c
index ac2a8454c5f56b175d28aca425ef091b9ac0778f..376d6f3365bb8c22f50397420acabbb554492493 100644 (file)
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -251,7 +251,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs)
     }
 
   /* we have caps, we have no need to ever change back the original user */
-  if (zprivs_state.zuid)
+    /* only change uid if we don't have the correct one */
+    if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
         {
@@ -531,7 +532,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs)
   /* we have caps, we have no need to ever change back the original user
    * change real, effective and saved to the specified user.
    */
-  if (zprivs_state.zuid)
+   /* only change uid if we don't have the correct one */
+   if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
         {
@@ -602,7 +604,8 @@ zprivs_caps_terminate (void)
 int
 zprivs_change_uid (zebra_privs_ops_t op)
 {
-
+  if (zprivs_state.zsuid == zprivs_state.zuid)
+    return 0;
   if (op == ZPRIVS_RAISE)
     return seteuid (zprivs_state.zsuid);
   else if (op == ZPRIVS_LOWER)
@@ -766,7 +769,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
         }
     }
 
-  if (ngroups)
+  /* add groups only if we changed uid - otherwise skip */
+  if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       if ( setgroups (ngroups, groups) )
         {
@@ -776,7 +780,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
         }
     }
 
-  if (zprivs_state.zgid)
+  /* change gid only if we changed uid - otherwise skip */
+  if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       /* change group now, forever. uid we do later */
       if ( setregid (zprivs_state.zgid, zprivs_state.zgid) )
@@ -797,7 +802,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
    * This is not worth that much security wise, but all we can do.
    */
   zprivs_state.zsuid = geteuid();  
-  if ( zprivs_state.zuid )
+  /* only change uid if we don't have the correct one */
+  if (( zprivs_state.zuid ) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       if ( setreuid (-1, zprivs_state.zuid) )
         {
@@ -824,7 +830,8 @@ zprivs_terminate (struct zebra_privs_t *zprivs)
 #ifdef HAVE_CAPABILITIES
   zprivs_caps_terminate();
 #else /* !HAVE_CAPABILITIES */
-  if (zprivs_state.zuid)
+  /* only change uid if we don't have the correct one */
+  if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
     {
       if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
         {

diff --git a/lib/vty.c b/lib/vty.c
index adcfaca4f3d4f4b8faeb0816d65009a033d0eaae..9594d68ebdf0c5e350ce9302a5bcfa9651959e34 100644 (file)
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -2091,8 +2091,11 @@ vty_serv_un (const char *path)
   umask (old_mask);
 
   zprivs_get_ids(&ids);
-  
-  if (ids.gid_vty > 0)
+
+  /* Hack: ids.gid_vty is actually a uint, but we stored -1 in it
+     earlier for the case when we don't need to chown the file
+     type casting it here to make a compare */
+  if ((int)ids.gid_vty > 0)
     {
       /* set group of socket */
       if ( chown (path, -1, ids.gid_vty) )