All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit c30f3d9d authored by Mike Hibler's avatar Mike Hibler

A little more scrutiny of the target directory in runsuid.

Also, get rid of message about "you must run post-install".
parent 413b3b7c
......@@ -51,11 +51,9 @@ genlastlog: genlastlog.c
install: $(addprefix $(INSTALL_LIBEXECDIR)/, $(BINS)) \
$(addprefix $(INSTALL_SBINDIR)/, $(SBINS))
@echo "Don't forget to do a post-install as root"
post-install:
chown root $(INSTALL_LIBEXECDIR)/suexec
chmod u+s $(INSTALL_LIBEXECDIR)/suexec
@echo "post-install no longer required"
#
# Control node installation (okay, plastic)
......
......@@ -48,17 +48,29 @@ static void
sanedir(char *dir)
{
struct stat sb;
char *rpath;
if (stat(dir, &sb) != 0) {
if ((rpath = realpath(dir, NULL)) == NULL) {
perror(dir);
exit(1);
}
if (strncmp(rpath, TBROOT, strlen(TBROOT)) != 0) {
fprintf(stderr, "%s: must be in %s\n", dir, TBROOT);
exit(1);
}
if (stat(rpath, &sb) != 0) {
perror(dir);
exit(1);
}
if (sb.st_uid != 0 ||
!S_ISDIR(sb.st_mode) || (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
fprintf(stderr, "%s: must be root-owned, unwritable dir\n",
SUIDDIR);
dir);
exit(1);
}
free(rpath);
}
static char **
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment