zuul
/
zuul
Code Issues Proposed changes

Add zuul supplementary groups before setgid/setuid 

When zuul-executor is dropping root privileges, pull a list
of supplementary groups for the target user, to keep them make
sure that they are added before calling setgid() and setuid().

Change-Id: I02f724a3fb01b69798681c6f2bbc83852c87246f
This commit is contained in:
Krzysztof Klimonda 2017-09-29 10:38:35 +02:00 committed by Krzysztof Klimonda
parent d6c74ef78a
commit 8fd2bb8c9e
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zuul/cmd/executor.py
View File

@ -22,6 +22,7 @@ import extras
# instead it depends on lockfile-0.9.1 which uses pidfile. # instead it depends on lockfile-0.9.1 which uses pidfile.
pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile']) pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile'])
import grp
import logging import logging
import os import os
import pwd import pwd
@ -101,7 +102,10 @@ class Executor(zuul.cmd.ZuulApp):
if os.getuid() != 0: if os.getuid() != 0:
return return
pw = pwd.getpwnam(self.user) pw = pwd.getpwnam(self.user)
os.setgroups([]) # get a list of supplementary groups for the target user, and make sure
# we set them when dropping privileges.
groups = [g.gr_gid for g in grp.getgrall() if self.user in g.gr_mem]
os.setgroups(groups)
os.setgid(pw.pw_gid) os.setgid(pw.pw_gid)
os.setuid(pw.pw_uid) os.setuid(pw.pw_uid)
os.umask(0o022) os.umask(0o022)