Package: apt-cacher Version: 1.1 Severity: normal Tags: patch Problem the first:
The apt-cacher2 script sets the user ID first, and the group ID second. This is backwards---setgid() may not work if the script dropped the necessary privileges in the setuid() call. Problem the second: The if-block that sets the group ID is calling setuid(), when it probably meant to call setgid(). (It also contains the error message "Unknown user ID"...) (semi-)Problem the third: I am using apt-cacher 1.1 not out of the Debian package, but straight from source, with a locally-compiled set of up-to-date Perl modules on a Woody system. (Long story.) The only real problem I have encountered is that the POSIX::setuid() call, in Perl 5.6, doesn't work. Perl's $< and $> variables, on the other hand, behave exactly as they should. So---all else being equal---I submit that it would be better to use $< $> $( $) instead of POSIX::set[ug]id(), to avoid what amounts to a trivial incompatibility with Perl 5.6. Attached is a patch that addresses these three issues. The only thing I'm not too sure about are the checks to verify that the user/group change happenend correctly ("$( =~ /^$gid\b/" et al.), but those at least work for me.
--- apt-cacher2 Mon Sep 26 04:38:15 2005 +++ apt-cacher2.patched Tue Nov 29 02:32:42 2005 @@ -377,6 +377,20 @@ chdir $chroot; } +if($gid) { + if($gid=~/^\d+$/) { + my $name=getgrgid($gid); + die "Unknown group ID: $gid (exiting)\n" if !$name; + } + else { + $gid=getgrnam($gid); + die "No such group (exiting)\n" if !$gid; + } + $) = $gid; + $( = $gid; + $) =~ /^$gid\b/ && $( =~ /^$gid\b/ || barf("Unable to change group id"); +} + if($uid) { if($uid=~/^\d+$/) { my $name=getpwuid($uid); @@ -386,19 +400,9 @@ $uid=getpwnam($uid); die "No such user (exiting)\n" if !$uid; } - setuid($uid) || barf("Unable to change user id"); -} - -if($gid) { - if($gid=~/^\d+$/) { - my $name=getgrgid($gid); - die "Unknown user ID: $gid (exiting)\n" if !$name; - } - else { - $gid=getgrnam($gid); - die "No such group (exiting)\n" if !$gid; - } - setuid($gid) || barf("Unable to change group id"); + $> = $uid; + $< = $uid; + $> == $uid && $< == $uid || barf("Unable to change user id"); } &open_log_files;