lib: Don't change uid/gid if we are already the correct uid/gid

Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
2025-08-07 06:03:10 +00:00 · 2017-01-21 02:48:45 +07:00 · 2017-01-21 02:48:45 +07:00 · 38657f2ebd
commit 38657f2ebd
parent ce2e9ec3ad
2 changed files with 19 additions and 9 deletions
--- a/lib/privs.c
+++ b/lib/privs.c
@ -251,7 +251,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs)
    }
  /* we have caps, we have no need to ever change back the original user */
-  if (zprivs_state.zuid)
+    /* only change uid if we don't have the correct one */
    if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
        {
@ -531,7 +532,8 @@ zprivs_caps_init (struct zebra_privs_t *zprivs)
  /* we have caps, we have no need to ever change back the original user
   * change real, effective and saved to the specified user.
   */
-  if (zprivs_state.zuid)
+   /* only change uid if we don't have the correct one */
   if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
        {
@ -602,7 +604,8 @@ zprivs_caps_terminate (void)
 int
 zprivs_change_uid (zebra_privs_ops_t op)
 {
-
+  if (zprivs_state.zsuid == zprivs_state.zuid)
    return 0;
  if (op == ZPRIVS_RAISE)
    return seteuid (zprivs_state.zsuid);
  else if (op == ZPRIVS_LOWER)
@ -766,7 +769,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
        }
    }
-  if (ngroups)
+  /* add groups only if we changed uid - otherwise skip */
  if ((ngroups) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      if ( setgroups (ngroups, groups) )
        {
@ -776,7 +780,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
        }
    }
-  if (zprivs_state.zgid)
+  /* change gid only if we changed uid - otherwise skip */
  if ((zprivs_state.zgid) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      /* change group now, forever. uid we do later */
      if ( setregid (zprivs_state.zgid, zprivs_state.zgid) )
@ -797,7 +802,8 @@ zprivs_init(struct zebra_privs_t *zprivs)
   * This is not worth that much security wise, but all we can do.
   */
  zprivs_state.zsuid = geteuid();  
-  if ( zprivs_state.zuid )
+  /* only change uid if we don't have the correct one */
  if (( zprivs_state.zuid ) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      if ( setreuid (-1, zprivs_state.zuid) )
        {
@ -824,7 +830,8 @@ zprivs_terminate (struct zebra_privs_t *zprivs)
 #ifdef HAVE_CAPABILITIES
  zprivs_caps_terminate();
 #else /* !HAVE_CAPABILITIES */
-  if (zprivs_state.zuid)
+  /* only change uid if we don't have the correct one */
  if ((zprivs_state.zuid) && (zprivs_state.zsuid != zprivs_state.zuid))
    {
      if ( setreuid (zprivs_state.zuid, zprivs_state.zuid) )
        {
--- a/lib/vty.c
+++ b/lib/vty.c
@ -2091,8 +2091,11 @@ vty_serv_un (const char *path)
  umask (old_mask);
  zprivs_get_ids(&ids);
-  
+
-  if (ids.gid_vty > 0)
+  /* Hack: ids.gid_vty is actually a uint, but we stored -1 in it
     earlier for the case when we don't need to chown the file
     type casting it here to make a compare */
  if ((int)ids.gid_vty > 0)
    {
      /* set group of socket */
      if ( chown (path, -1, ids.gid_vty) )