]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - ikiwiki-mass-rebuild
cherry-pick uri security fix
[git.ikiwiki.info.git] / ikiwiki-mass-rebuild
index fa8bd913db1844e793062052379248e4612ef2fd..8cc6f45c1d9f6fbd21b40e403bc3d5561bb93d3e 100755 (executable)
@@ -2,6 +2,19 @@
 use warnings;
 use strict;
 
 use warnings;
 use strict;
 
+sub supplemental_groups {
+       my $user=shift;
+
+       my @list;
+       while (my @fields=getgrent()) {
+               if (grep { $_ eq $user } split(' ', $fields[3])) {
+                       push @list, $fields[2];
+               }
+       }
+
+       return @list;
+}
+
 sub processline {
        my $user=shift;
        my $setup=shift;
 sub processline {
        my $user=shift;
        my $setup=shift;
@@ -20,15 +33,21 @@ sub processline {
        defined(my $pid = fork) or die "Can’t fork: $!";
        if (! $pid) {
                my ($uuid, $ugid) = (getpwnam($user))[2, 3];
        defined(my $pid = fork) or die "Can’t fork: $!";
        if (! $pid) {
                my ($uuid, $ugid) = (getpwnam($user))[2, 3];
-               $)="$ugid $ugid";
+               my $grouplist=join(" ", $ugid, $ugid, supplemental_groups($user));
+               $)=$grouplist;
+               if ($!) {
+                       die "failed to set egid $grouplist: $!";
+               }
                $(=$ugid;
                $<=$uuid;
                $>=$uuid;
                $(=$ugid;
                $<=$uuid;
                $>=$uuid;
-               if ($< != $uuid || $> != $uuid || $( != $ugid || $) ne "$ugid $ugid") {
+               if ($< != $uuid || $> != $uuid || $( != $ugid) {
                        die "failed to drop permissions to $user";
                }
                        die "failed to drop permissions to $user";
                }
-               %ENV=();
-               $ENV{HOME}=(getpwnam($user))[7];
+               %ENV=(
+                       PATH => $ENV{PATH},
+                       HOME => (getpwnam($user))[7],
+               );
                exec("ikiwiki", "-setup", $setup, @ARGV);
                die "failed to run ikiwiki: $!";
        }
                exec("ikiwiki", "-setup", $setup, @ARGV);
                die "failed to run ikiwiki: $!";
        }