bb11557 - drop AllowSupplementaryGroups option and make it default, patch by Sebastian A. Siewior

10 years ago · 2ea4230df2
parent 97930c2400
commit 2ea4230df2
10 changed files with 26 additions and 88 deletions
--- a/clamav-milter/clamav-milter.c
+++ b/clamav-milter/clamav-milter.c
@ -298,28 +298,17 @@ int main(int argc, char **argv) {
 	    return 1;
 	}
 	if(optget(opts, "AllowSupplementaryGroups")->enabled) {
 #ifdef HAVE_INITGROUPS
-	    if(initgroups(opt->strarg, user->pw_gid)) {
+	if(initgroups(user->pw_name, user->pw_gid)) {
-		fprintf(stderr, "ERROR: initgroups() failed.\n");
+	    fprintf(stderr, "ERROR: initgroups() failed.\n");
 		optfree(opts);
 		return 1;
 	    }
 #else
 	    mprintf("!AllowSupplementaryGroups: initgroups() is not available, please disable AllowSupplementaryGroups\n");
 	    optfree(opts);
 	    return 1;
 #endif
 	} else {
 #ifdef HAVE_SETGROUPS
 	    if(setgroups(1, &user->pw_gid)) {
 		fprintf(stderr, "ERROR: setgroups() failed.\n");
 		optfree(opts);
 		return 1;
 	    }
 #endif
 	}
-
+#elif HAVE_SETGROUPS
 	if(setgroups(1, &user->pw_gid)) {
 	    fprintf(stderr, "ERROR: setgroups() failed.\n");
 	    return 1;
 	}
 #endif
 	if(setgid(user->pw_gid)) {
 	    fprintf(stderr, "ERROR: setgid(%d) failed.\n", (int) user->pw_gid);
 	    optfree(opts);
--- a/clamd/clamd.c
+++ b/clamd/clamd.c
@ -216,27 +216,17 @@ int main(int argc, char **argv)
            return 1;
        }
        if(optget(opts, "AllowSupplementaryGroups")->enabled) {
 #ifdef HAVE_INITGROUPS
-            if(initgroups(opt->strarg, user->pw_gid)) {
+	if(initgroups(user->pw_name, user->pw_gid)) {
-                fprintf(stderr, "ERROR: initgroups() failed.\n");
+		fprintf(stderr, "ERROR: initgroups() failed.\n");
-                optfree(opts);
+		return 1;
-                return 1;
+	}
-            }
+#elif HAVE_SETGROUPS
-#else
+	if(setgroups(1, &user->pw_gid)) {
-            mprintf("!AllowSupplementaryGroups: initgroups() is not available, please disable AllowSupplementaryGroups in %s\n", cfgfile);
+		fprintf(stderr, "ERROR: setgroups() failed.\n");
-            optfree(opts);
+		return 1;
-            return 1;
+	}
 #endif
        } else {
 #ifdef HAVE_SETGROUPS
            if(setgroups(1, &user->pw_gid)) {
                fprintf(stderr, "ERROR: setgroups() failed.\n");
                optfree(opts);
                return 1;
            }
 #endif
        }
        if(setgid(user->pw_gid)) {
            fprintf(stderr, "ERROR: setgid(%d) failed.\n", (int) user->pw_gid);
--- a/docs/man/clamav-milter.conf.5.in
+++ b/docs/man/clamav-milter.conf.5.in
@ -57,11 +57,6 @@ Run as another user (clamav-milter must be started by root for this option to wo
 .br
 Default: unset (don\'t drop privileges)
 .TP 
 \fBAllowSupplementaryGroups BOOL\fR
 Initialize supplementary group access (clamav-milter must be started by root).
 .br 
 Default: no
 .TP 
 \fBReadTimeout NUMBER\fR
 Waiting for data from clamd will timeout after this time (seconds).
 .br 
--- a/docs/man/clamd.conf.5.in
+++ b/docs/man/clamd.conf.5.in
@ -270,11 +270,6 @@ Run the daemon as a specified user (the process must be started by root).
 .br
 Default: disabled
 .TP
 \fBAllowSupplementaryGroups BOOL\fR
 Initialize a supplementary group access (the process must be started by root).
 .br
 Default: no
 .TP
 \fBBytecode BOOL\fR
 With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.
 .br
--- a/docs/man/freshclam.conf.5.in
+++ b/docs/man/freshclam.conf.5.in
@ -76,11 +76,6 @@ Enable debug messages in libclamav.
 .br
 Default: no
 .TP 
 \fBAllowSupplementaryGroups BOOL\fR
 Initialize supplementary group access (freshclam must be started by root).
 .br 
 Default: disabled
 .TP 
 \fBUpdateLogFile STRING\fR
 Enable logging to a specified file. Highly recommended.
 .br 
--- a/etc/clamav-milter.conf.sample
+++ b/etc/clamav-milter.conf.sample
@ -38,11 +38,6 @@ Example
 # Default: unset (don't drop privileges)
 #User clamav
 # Initialize supplementary group access (clamav-milter must be started by root).
 #
 # Default: no
 #AllowSupplementaryGroups no
 # Waiting for data from clamd will timeout after this time (seconds).
 # Value of 0 disables the timeout.
 #
--- a/etc/clamd.conf.sample
+++ b/etc/clamd.conf.sample
@ -202,10 +202,6 @@ Example
 # Default: don't drop privileges
 #User clamav
 # Initialize supplementary group access (clamd must be started by root).
 # Default: no
 #AllowSupplementaryGroups no
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
--- a/etc/freshclam.conf.sample
+++ b/etc/freshclam.conf.sample
@ -55,10 +55,6 @@ Example
 # Default: clamav (may depend on installation options)
 #DatabaseOwner clamav
 # Initialize supplementary group access (freshclam must be started by root).
 # Default: no
 #AllowSupplementaryGroups yes
 # Use DNS to verify virus database version. Freshclam uses DNS TXT records
 # to verify database and software versions. With this directive you can change
 # the database verification domain.
--- a/freshclam/freshclam.c
+++ b/freshclam/freshclam.c
@ -419,28 +419,17 @@ main (int argc, char **argv)
            return FCE_USERINFO;
        }
        if (optget (opts, "AllowSupplementaryGroups")->enabled)
        {
 #ifdef HAVE_INITGROUPS
-            if (initgroups (dbowner, user->pw_gid))
+	if (initgroups(dbowner, user->pw_gid)) {
-            {
+		logg ("^initgroups() failed.\n");
-                logg ("^initgroups() failed.\n");
+		return FCE_USERORGROUP;
-                optfree (opts);
+	}
-                return FCE_USERORGROUP;
+#elif HAVE_SETGROUPS
-            }
+	if (setgroups(1, &user->pw_gid)) {
-#endif
+		logg ("^setgroups() failed.\n");
-        }
+		return FCE_USERORGROUP;
-        else
+	}
        {
 #ifdef HAVE_SETGROUPS
            if (setgroups (1, &user->pw_gid))
            {
                logg ("^setgroups() failed.\n");
                optfree (opts);
                return FCE_USERORGROUP;
            }
 #endif
        }
        if (setgid (user->pw_gid))
        {
--- a/shared/optparser.c
+++ b/shared/optparser.c
@ -290,8 +290,6 @@ const struct clam_option __clam_options[] = {
    { "User", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Run the daemon as a specified user (the process must be started by root).", "clamav" },
    { "AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Initialize a supplementary group access (the process must be started by root).", "no" },
    /* Scan options */
    { "Bytecode", "bytecode", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" },