berekuk
Fix FreeBSD credentials
Ubic::Credentials::POSIX doesn't work on FreeBSD. It has something to do with the order of setting effective and real uid (and also gids).
I tried to fix it in 1.39, but turned out perl activates the tainted mode in this case, so since 1.43 release we're back at "works on linux and broken on freebsd". It works fine on MacOSX, though.
Why don't use POSIX::setuid() to set effective and real uids in one call? It should work on most posix systems.
This might work, thanks, I didn't know about it.
As far as I remember, the issue also about the order of real/effective group assignments. I see that there is POSIX::setgid, but it doesn't support complementary groups.
Yes it is not easy to set complementary groups, because there is no getgrent in POSIX module.
But settings complementary is non-obvious and in most cases not expected feature.
If in config written: user = foo group = bar It is not obvious (yet documented), that complementary groups for user foo will be used.
If complementary is explicitly set in config, it is possible to set credential under FreeBSD with code like this:
use POSIX;
my $user = 'citrin';
my @groups = qw(citrin quagga);
my $gid = (getgrnam $groups[0])[2];
my $groups = join ' ', map { (getgrnam $_)[2] } @groups;
$) = $gid.' '.$groups;
setgid($gid) or die $!;
setuid( (getpwnam($user))[2] ) or die $!;
It is not obvious (yet documented), that complementary groups for user foo will be used.
Wait, where is it documented? Ubic uses main/complementary groups of user only if no groups are explicitly specified.
Thank you for the code sample. I'll try to check if it works on all platforms.
BTW, my long-term plan is to separate credentials code into a separate distribution (OS::Credentials?). I hope to get to it in the next couple of releases.
Wait, where is it documented? Ubic uses main/complementary groups of user only if no groups are explicitly specified.
Yes, may fault, I misread the doc.