From 8fd2bb8c9e087fae9932a69bde282349ddfea4a6 Mon Sep 17 00:00:00 2001 From: Krzysztof Klimonda Date: Fri, 29 Sep 2017 10:38:35 +0200 Subject: [PATCH] Add zuul supplementary groups before setgid/setuid When zuul-executor is dropping root privileges, pull a list of supplementary groups for the target user, to keep them make sure that they are added before calling setgid() and setuid(). Change-Id: I02f724a3fb01b69798681c6f2bbc83852c87246f --- zuul/cmd/executor.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/zuul/cmd/executor.py b/zuul/cmd/executor.py index 63c621d81a..70c80c5771 100755 --- a/zuul/cmd/executor.py +++ b/zuul/cmd/executor.py @@ -22,6 +22,7 @@ import extras # instead it depends on lockfile-0.9.1 which uses pidfile. pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile']) +import grp import logging import os import pwd @@ -101,7 +102,10 @@ class Executor(zuul.cmd.ZuulApp): if os.getuid() != 0: return pw = pwd.getpwnam(self.user) - os.setgroups([]) + # get a list of supplementary groups for the target user, and make sure + # we set them when dropping privileges. + groups = [g.gr_gid for g in grp.getgrall() if self.user in g.gr_mem] + os.setgroups(groups) os.setgid(pw.pw_gid) os.setuid(pw.pw_uid) os.umask(0o022)