diff options
Diffstat (limited to 'cpp')
| -rw-r--r-- | cpp/src/Ice/Instance.cpp | 23 | ||||
| -rw-r--r-- | cpp/src/IceGrid/Activator.cpp | 33 |
2 files changed, 53 insertions, 3 deletions
diff --git a/cpp/src/Ice/Instance.cpp b/cpp/src/Ice/Instance.cpp index 8997a0d6619..1ba733637e6 100644 --- a/cpp/src/Ice/Instance.cpp +++ b/cpp/src/Ice/Instance.cpp @@ -56,6 +56,10 @@ # include <sys/types.h> #endif +#ifdef __linux +# include <grp.h> // for initgroups +#endif + #include <Ice/UdpEndpointI.h> #ifndef ICE_OS_WINRT @@ -908,15 +912,30 @@ IceInternal::Instance::Instance(const CommunicatorPtr& communicator, const Initi string newUser = _initData.properties->getProperty("Ice.ChangeUser"); if(!newUser.empty()) { + errno = 0; struct passwd* pw = getpwnam(newUser.c_str()); if(!pw) { + if(errno) + { + SyscallException ex(__FILE__, __LINE__); + ex.error = getSystemErrno(); + throw ex; + } + else + { + throw "Unknown user account `" + newUser + "'"; + } + } + + if(setgid(pw->pw_gid) == -1) + { SyscallException ex(__FILE__, __LINE__); ex.error = getSystemErrno(); throw ex; } - - if(setgid(pw->pw_gid) == -1) + + if(initgroups(pw->pw_name, pw->pw_gid) == -1) { SyscallException ex(__FILE__, __LINE__); ex.error = getSystemErrno(); diff --git a/cpp/src/IceGrid/Activator.cpp b/cpp/src/IceGrid/Activator.cpp index 8b82e567cf4..4fa62779a04 100644 --- a/cpp/src/IceGrid/Activator.cpp +++ b/cpp/src/IceGrid/Activator.cpp @@ -28,6 +28,7 @@ #ifndef _WIN32 # include <sys/wait.h> # include <signal.h> +# include <pwd.h> // for getpwuid #else #ifndef SIGKILL # define SIGKILL 9 @@ -37,6 +38,10 @@ #endif #endif +#ifdef __linux +# include <grp.h> // for initgroups +#endif + using namespace std; using namespace Ice; using namespace IceInternal; @@ -658,7 +663,33 @@ Activator::activate(const string& name, os << gid; reportChildError(getSystemErrno(), errorFds[1], "cannot set process group id", os.str().c_str(), _traceLevels); - } + } + + errno = 0; + struct passwd* pw = getpwuid(uid); + if(!pw) + { + if(errno) + { + reportChildError(getSystemErrno(), errorFds[1], "cannot read the password database", "", + _traceLevels); + } + else + { + ostringstream os; + os << uid; + reportChildError(getSystemErrno(), errorFds[1], "unknown user uid" , os.str().c_str(), + _traceLevels); + } + } + + if(initgroups(pw->pw_name, gid) == -1) + { + ostringstream os; + os << pw->pw_name; + reportChildError(getSystemErrno(), errorFds[1], "cannot initialize process supplementary group access list for user", + os.str().c_str(), _traceLevels); + } if(setuid(uid) == -1) { |