Add zuul supplementary groups before setgid/setuid

When zuul-executor is dropping root privileges, pull a list
of supplementary groups for the target user, to keep them make
sure that they are added before calling setgid() and setuid().

Change-Id: I02f724a3fb01b69798681c6f2bbc83852c87246f
changes/44/508444/1
Krzysztof Klimonda 5 years ago committed by Krzysztof Klimonda
parent d6c74ef78a
commit 8fd2bb8c9e
  1. 6
      zuul/cmd/executor.py

@ -22,6 +22,7 @@ import extras
# instead it depends on lockfile-0.9.1 which uses pidfile.
pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile'])
import grp
import logging
import os
import pwd
@ -101,7 +102,10 @@ class Executor(zuul.cmd.ZuulApp):
if os.getuid() != 0:
return
pw = pwd.getpwnam(self.user)
os.setgroups([])
# get a list of supplementary groups for the target user, and make sure
# we set them when dropping privileges.
groups = [g.gr_gid for g in grp.getgrall() if self.user in g.gr_mem]
os.setgroups(groups)
os.setgid(pw.pw_gid)
os.setuid(pw.pw_uid)
os.umask(0o022)

Loading…
Cancel
Save