Package: apt-cacher
Version: 1.1
Severity: normal
Tags: patch
Problem the first:
The apt-cacher2 script sets the user ID first, and the group ID second.
This is backwards---setgid() may not work if the script dropped the
necessary privileges in the setuid() call.
Problem the second:
The if-block that sets the group ID is calling setuid(), when it
probably meant to call setgid(). (It also contains the error message
"Unknown user ID"...)
(semi-)Problem the third:
I am using apt-cacher 1.1 not out of the Debian package, but straight
from source, with a locally-compiled set of up-to-date Perl modules on a
Woody system. (Long story.)
The only real problem I have encountered is that the POSIX::setuid()
call, in Perl 5.6, doesn't work. Perl's $< and $> variables, on the
other hand, behave exactly as they should. So---all else being equal---I
submit that it would be better to use $< $> $( $) instead of
POSIX::set[ug]id(), to avoid what amounts to a trivial incompatibility
with Perl 5.6.
Attached is a patch that addresses these three issues. The only thing
I'm not too sure about are the checks to verify that the user/group
change happenend correctly ("$( =~ /^$gid\b/" et al.), but those at
least work for me.
--- apt-cacher2 Mon Sep 26 04:38:15 2005
+++ apt-cacher2.patched Tue Nov 29 02:32:42 2005
@@ -377,6 +377,20 @@
chdir $chroot;
}
+if($gid) {
+ if($gid=~/^\d+$/) {
+ my $name=getgrgid($gid);
+ die "Unknown group ID: $gid (exiting)\n" if !$name;
+ }
+ else {
+ $gid=getgrnam($gid);
+ die "No such group (exiting)\n" if !$gid;
+ }
+ $) = $gid;
+ $( = $gid;
+ $) =~ /^$gid\b/ && $( =~ /^$gid\b/ || barf("Unable to change group id");
+}
+
if($uid) {
if($uid=~/^\d+$/) {
my $name=getpwuid($uid);
@@ -386,19 +400,9 @@
$uid=getpwnam($uid);
die "No such user (exiting)\n" if !$uid;
}
- setuid($uid) || barf("Unable to change user id");
-}
-
-if($gid) {
- if($gid=~/^\d+$/) {
- my $name=getgrgid($gid);
- die "Unknown user ID: $gid (exiting)\n" if !$name;
- }
- else {
- $gid=getgrnam($gid);
- die "No such group (exiting)\n" if !$gid;
- }
- setuid($gid) || barf("Unable to change group id");
+ $> = $uid;
+ $< = $uid;
+ $> == $uid && $< == $uid || barf("Unable to change user id");
}
&open_log_files;
