From 302905ffe8fdcb9abdf36f16bc4420f5e1dbab01 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 23 Feb 2017 13:06:21 -0500
Subject: [PATCH] Handle group membership when testing for file permissions
This was a bit of a corner case but group membership wasn't
considered when trying to determine if the NSS databases are
readable.
Resolves BZ 1395300
---
nss_engine_init.c | 45 +++++++++++++++++++++++++++++++++------------
1 file changed, 33 insertions(+), 12 deletions(-)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 0bb2054..14f86d8 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -29,6 +29,7 @@
#include "cert.h"
#include <sys/types.h>
#include <pwd.h>
+#include <grp.h>
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -56,17 +57,33 @@ static char *version_components[] = {
* Return 0 on failure or file doesn't exist
* Return 1 on success
*/
-static int check_path(uid_t uid, gid_t gid, char *filepath, apr_pool_t *p)
+static int check_path(const char *user, uid_t uid, gid_t gid, char *filepath,
+ apr_pool_t *p)
{
apr_finfo_t finfo;
- int rv;
+ PRBool in_group = PR_FALSE;
+ struct group *gr;
+ int i = 0;
+
+ if ((apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER, p))
+ == APR_SUCCESS) {
+ if ((gr = getgrgid(finfo.group)) == NULL) {
+ return 0;
+ }
- if ((rv = apr_stat(&finfo, filepath, APR_FINFO_PROT | APR_FINFO_OWNER,
- p)) == APR_SUCCESS) {
+ if (gid == finfo.group) {
+ in_group = PR_TRUE;
+ } else {
+ while ((gr->gr_mem != NULL) && (gr->gr_mem[i] != NULL)) {
+ if (!strcasecmp(user, gr->gr_mem[i++])) {
+ in_group = PR_TRUE;
+ break;
+ }
+ }
+ }
if (((uid == finfo.user) &&
(finfo.protection & APR_FPROT_UREAD)) ||
- ((gid == finfo.group) &&
- (finfo.protection & APR_FPROT_GREAD)) ||
+ (in_group && (finfo.protection & APR_FPROT_GREAD)) ||
(finfo.protection & APR_FPROT_WREAD)
)
{
@@ -176,7 +193,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
"Checking permissions for user %s: uid %d gid %d",
mc->user, pw->pw_uid, pw->pw_gid);
- if (!(check_path(pw->pw_uid, pw->pw_gid, dbdir, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, dbdir, p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS "
"database directory %s.", mc->user, dbdir);
@@ -186,7 +203,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
if (strncasecmp(mc->pCertificateDatabase, "sql:", 4) == 0) {
apr_snprintf(filepath, 1024, "%s/key4.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -194,7 +212,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
}
apr_snprintf(filepath, 1024, "%s/cert9.db",
mc->pCertificateDatabase+4);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -203,7 +222,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
} else {
apr_snprintf(filepath, 1024, "%s/key3.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS key "
"database %s.", mc->user, filepath);
@@ -211,7 +231,8 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
}
apr_snprintf(filepath, 1024, "%s/cert8.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath,
+ p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS cert "
"database %s.", mc->user, filepath);
@@ -219,7 +240,7 @@ static void nss_init_SSLLibrary(server_rec *base_server, apr_pool_t *p)
}
apr_snprintf(filepath, 1024, "%s/secmod.db",
mc->pCertificateDatabase);
- if (!(check_path(pw->pw_uid, pw->pw_gid, filepath, p))) {
+ if (!(check_path(mc->user, pw->pw_uid, pw->pw_gid, filepath, p))) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
"Server user %s lacks read access to NSS secmod "
"database %s.", mc->user, filepath);
--
2.9.3