Don't try to change gid unless we're privileged.

This affects both tripe(8) and tripectl(1).  The options are still
useful, since they determine the ownership of the administration socket.

This is a result of a long-standing error by the author, who assumed
that it was possible to setgid(2) to any existing supplementary group.

diff --git a/client/tripectl.1.in b/client/tripectl.1.in
index d517f9b..4c6777e 100644 (file)
--- a/client/tripectl.1.in
+++ b/client/tripectl.1.in
@@ -200,7 +200,9 @@ and
 options.
 .TP
 .BI "\-G, \-\-setgid=" group
-Set gid to that of
+If the current effective uid is zero (i.e., the daemon was invoked as
+.BR root )
+then set gid to that of
 .I group
 (either a group name or integer gid) after initialization.  If a new
 .BR tripe (8)

diff --git a/common/util.c b/common/util.c
index 92b9853..78358b3 100644 (file)
--- a/common/util.c
+++ b/common/util.c
@@ -137,7 +137,9 @@ gid_t u_getgroup(const char *name)
 
 void u_setugid(uid_t u, gid_t g)
 {
-  if (g != (gid_t)-1) {
+  uid_t cu = geteuid();
+
+  if (cu == 0 && g != (gid_t)-1) {
     if (setgid(g) || (getuid() == 0 && setgroups(1, &g))) {
       die(EXIT_FAILURE, "couldn't setgid to %u: %s",
          (unsigned)g, strerror(errno));

diff --git a/server/tripe.8.in b/server/tripe.8.in
index 9721246..14ee0ab 100644 (file)
--- a/server/tripe.8.in
+++ b/server/tripe.8.in
@@ -223,9 +223,13 @@ option.  The selected user (and group) will also be the owner of the
 administration socket.
 .TP
 .BI "\-G, \-\-setgid=" group
-Set gid to that of
+If the current effective uid is zero (i.e., the daemon was invoked as
+.BR root )
+then set gid to that of
 .I group
-(either a group name or integer gid) after initialization.
+(either a group name or integer gid) after initialization.  In any
+event, arrange hat the administration socket be owned by the given
+.IR group .
 .TP
 .BI "\-k, \-\-priv\-keyring=" file
 Reads the private key from