Add zuul supplementary groups before setgid/setuid
When zuul-executor is dropping root privileges, pull a list of supplementary groups for the target user, to keep them make sure that they are added before calling setgid() and setuid(). Change-Id: I02f724a3fb01b69798681c6f2bbc83852c87246f
This commit is contained in:
parent
d6c74ef78a
commit
8fd2bb8c9e
|
@ -22,6 +22,7 @@ import extras
|
||||||
# instead it depends on lockfile-0.9.1 which uses pidfile.
|
# instead it depends on lockfile-0.9.1 which uses pidfile.
|
||||||
pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile'])
|
pid_file_module = extras.try_imports(['daemon.pidlockfile', 'daemon.pidfile'])
|
||||||
|
|
||||||
|
import grp
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import pwd
|
import pwd
|
||||||
|
@ -101,7 +102,10 @@ class Executor(zuul.cmd.ZuulApp):
|
||||||
if os.getuid() != 0:
|
if os.getuid() != 0:
|
||||||
return
|
return
|
||||||
pw = pwd.getpwnam(self.user)
|
pw = pwd.getpwnam(self.user)
|
||||||
os.setgroups([])
|
# get a list of supplementary groups for the target user, and make sure
|
||||||
|
# we set them when dropping privileges.
|
||||||
|
groups = [g.gr_gid for g in grp.getgrall() if self.user in g.gr_mem]
|
||||||
|
os.setgroups(groups)
|
||||||
os.setgid(pw.pw_gid)
|
os.setgid(pw.pw_gid)
|
||||||
os.setuid(pw.pw_uid)
|
os.setuid(pw.pw_uid)
|
||||||
os.umask(0o022)
|
os.umask(0o022)
|
||||||
|
|
Loading…
Reference in New Issue