Only activate groups for users with passwd entry #10308
Conversation
|
Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA). Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA. After that, please reply here with a comment and we'll verify. Contributors that have not signed yet: @rezemble
|
There was a problem hiding this comment.
Thanks for using Icinga and creating this Pull Request.
Next to my comments in your issue #10307, I am a bit unsure about the proposed changes. This code would result in skipping the user impersonation (which is a kind of dropping privileges) if the configured user does not exists in the system's user database without any notice.
| << "Please re-run this command as a privileged user or using the \"" << user << "\" account."; | ||
| return EXIT_FAILURE; | ||
| } | ||
| // only respect groups if there exists a passwd entry for the current user |
There was a problem hiding this comment.
This comment does not represent what actually happens in the following block.
pw is populated by getpwnam(3) on Configuration::RunAsUser, defaulting to icinga2 or nagios (on Debian), but can be overwritten both during compile and runtime via ICINGA2_USER. Thus, if such a user is present in the user database, this if block is being accessed.
I only see one group-related code within, and this is the initgroups(3) call based on the user name and pw->pw_gid. Does this fail for you?
Addresses #10307 - enables running Icinga with arbitrary UIDs