summaryrefslogtreecommitdiff
path: root/src/basic/user-util.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-06 17:54:12 +0200
committerLennart Poettering <lennart@poettering.net>2016-10-06 19:04:10 +0200
commit97f0e76f18d322d29bcfbc4ab6bb9cd67a1cdd54 (patch)
tree658b2caae552a9a7be6810dab6b44e653a89fef9 /src/basic/user-util.c
parent7429b2eb8308f3a2bf8c28d555fcdf5e961e65f0 (diff)
user-util: rework maybe_setgroups() a bit
Let's drop the caching of the setgroups /proc field for now. While there's a strict regime in place when it changes states, let's better not cache it since we cannot really be sure we follow that regime correctly. More importantly however, this is not in performance sensitive code, and there's no indication the cache is really beneficial, hence let's drop the caching and make things a bit simpler. Also, while we are at it, rework the error handling a bit, and always return negative errno-style error codes, following our usual coding style. This has the benefit that we can sensible hanld read_one_line_file() errors, without having to updat errno explicitly.
Diffstat (limited to 'src/basic/user-util.c')
-rw-r--r--src/basic/user-util.c49
1 files changed, 28 insertions, 21 deletions
diff --git a/src/basic/user-util.c b/src/basic/user-util.c
index 16496fccfa..de6c93056e 100644
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -460,9 +460,11 @@ int get_shell(char **_s) {
}
int reset_uid_gid(void) {
+ int r;
- if (maybe_setgroups(0, NULL) < 0)
- return -errno;
+ r = maybe_setgroups(0, NULL);
+ if (r < 0)
+ return r;
if (setresgid(0, 0, 0) < 0)
return -errno;
@@ -605,25 +607,30 @@ bool valid_home(const char *p) {
}
int maybe_setgroups(size_t size, const gid_t *list) {
- static int cached_can_setgroups = -1;
- /* check if setgroups is allowed before we try to drop all the auxiliary groups */
- if (size == 0) {
- if (cached_can_setgroups < 0) {
- _cleanup_free_ char *setgroups_content = NULL;
- int r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
- if (r < 0 && errno != ENOENT)
- return r;
- if (r < 0) {
- /* old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
- cached_can_setgroups = true;
- } else {
- cached_can_setgroups = streq(setgroups_content, "allow");
- if (!cached_can_setgroups)
- log_debug("skip setgroups, /proc/self/setgroups is set to 'deny'");
- }
- }
- if (!cached_can_setgroups)
+ int r;
+
+ /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
+ if (size == 0) { /* Dropping all aux groups? */
+ _cleanup_free_ char *setgroups_content = NULL;
+ bool can_setgroups;
+
+ r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
+ if (r == -ENOENT)
+ /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
+ can_setgroups = true;
+ else if (r < 0)
+ return r;
+ else
+ can_setgroups = streq(setgroups_content, "allow");
+
+ if (!can_setgroups) {
+ log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
return 0;
+ }
}
- return setgroups(size, list);
+
+ if (setgroups(size, list) < 0)
+ return -errno;
+
+ return 0;
}