nfqws,tpws: use initgroups() if --user specified

2025-08-10 01:02:03 +03:00 · 2025-06-11 20:15:43 +03:00
parent f3d48b7160
commit f09d918b40
11 changed files with 125 additions and 97 deletions
--- a/tpws/params.c
+++ b/tpws/params.c
@@ -258,3 +258,24 @@ void dp_list_destroy(struct desync_profile_list_head *head)
 		dp_entry_destroy(entry);
 	}
 }
+
+
+#if !defined( __OpenBSD__) && !defined(__ANDROID__)
+void cleanup_args(struct params_s *params)
+{
+	wordfree(&params->wexp);
+}
+#endif
+void cleanup_params(struct params_s *params)
+{
+#if !defined( __OpenBSD__) && !defined(__ANDROID__)
+	cleanup_args(params);
+#endif
+
+	dp_list_destroy(&params->desync_profiles);
+
+	hostlist_files_destroy(&params->hostlists);
+	ipset_files_destroy(&params->ipsets);
+	ipcacheDestroy(&params->ipcache);
+	free(params->user); params->user=NULL;
+}
--- a/tpws/params.h
+++ b/tpws/params.h
@@ -117,8 +117,9 @@ struct params_s
 	bool fix_seg_avail;
 	bool no_resolve;
 	bool skip_nodelay;
-	bool droproot;
 	bool daemon;
+	bool droproot;
+	char *user;
 	uid_t uid;
 	gid_t gid[MAX_GIDS];
 	int gid_count;
@@ -155,6 +156,10 @@ struct params_s

 extern struct params_s params;
 extern const char *progname;
+#if !defined( __OpenBSD__) && !defined(__ANDROID__)
+void cleanup_args(struct params_s *params);
+#endif
+void cleanup_params(struct params_s *params);

 int DLOG(const char *format, int level, ...);
 int DLOG_CONDUP(const char *format, ...);
--- a/tpws/sec.c
+++ b/tpws/sec.c
@@ -269,7 +269,7 @@ bool can_drop_root(void)
 #endif
 }

-bool droproot(uid_t uid, gid_t *gid, int gid_count)
+bool droproot(uid_t uid, const char *user, const gid_t *gid, int gid_count)
 {
 	if (gid_count<1)
 	{
@@ -283,11 +283,23 @@ bool droproot(uid_t uid, gid_t *gid, int gid_count)
 		return false;
 	}
 #endif
-	// drop all SGIDs
-	if (setgroups(gid_count,gid))
+	if (user)
 	{
-		DLOG_PERROR("setgroups");
-		return false;
+		// macos has strange supp gid handling. they cache only 16 groups and fail setgroups if more than 16 gids specified.
+		// better to leave it to the os
+		if (initgroups(user,gid[0]))
+		{
+			DLOG_PERROR("initgroups");
+			return false;
+		}
+	}
+	else
+	{
+		if (setgroups(gid_count,gid))
+		{
+			DLOG_PERROR("setgroups");
+			return false;
+		}
 	}
 	if (setgid(gid[0]))
 	{
--- a/tpws/sec.h
+++ b/tpws/sec.h
@@ -84,7 +84,7 @@ bool dropcaps(void);

 bool sec_harden(void);
 bool can_drop_root();
-bool droproot(uid_t uid, gid_t *gid, int gid_count);
+bool droproot(uid_t uid, const char *user, const gid_t *gid, int gid_count);
 void print_id(void);
 void daemonize(void);
 bool writepid(const char *filename);
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@@ -290,32 +290,14 @@ static void exithelp(void)
 	);
 	exit(1);
 }
-#if !defined( __OpenBSD__) && !defined(__ANDROID__)
-static void cleanup_args()
-{
-	wordfree(&params.wexp);
-}
-#endif
-static void cleanup_params(void)
-{
-#if !defined( __OpenBSD__) && !defined(__ANDROID__)
-	cleanup_args();
-#endif
-
-	dp_list_destroy(&params.desync_profiles);
-
-	hostlist_files_destroy(&params.hostlists);
-	ipset_files_destroy(&params.ipsets);
-	ipcacheDestroy(&params.ipcache);
-}
 static void exithelp_clean(void)
 {
-	cleanup_params();
+	cleanup_params(&params);
 	exithelp();
 }
 static void exit_clean(int code)
 {
-	cleanup_params();
+	cleanup_params(&params);
 	exit(code);
 }
 static void nextbind_clean(void)
@@ -982,6 +964,7 @@ void parse_params(int argc, char *argv[])
 			break;
 		case IDX_USER:
 		{
+			free(params.user); params.user=NULL;
 			struct passwd *pwd = getpwnam(optarg);
 			if (!pwd)
 			{
@@ -989,27 +972,18 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			params.uid = pwd->pw_uid;
-			params.gid_count=MAX_GIDS;
-#ifdef __APPLE__
-			// silence warning
-			if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,&params.gid_count)<0)
-#else
-			if (getgrouplist(optarg,pwd->pw_gid,params.gid,&params.gid_count)<0)
-#endif
+			params.gid[0]=pwd->pw_gid;
+			params.gid_count=1;
+			if (!(params.user=strdup(optarg)))
 			{
-				DLOG_ERR("getgrouplist failed. too much groups ?\n");
+				DLOG_ERR("strdup: out of memory\n");
 				exit_clean(1);
 			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = pwd->pw_gid;
-				params.gid_count = 1;
-			}
 			params.droproot = true;
 			break;
 		}
 		case IDX_UID:
-			params.droproot = true;
+			free(params.user); params.user=NULL;
 			if (!parse_uid(optarg,&params.uid,params.gid,&params.gid_count,MAX_GIDS))
 			{
 				DLOG_ERR("--uid should be : uid[:gid,gid,...]\n");
@@ -1020,6 +994,7 @@ void parse_params(int argc, char *argv[])
 				params.gid[0] = 0x7FFFFFFF;
 				params.gid_count = 1;
 			}
+			params.droproot = true;
 			break;
 		case IDX_MAXCONN:
 			params.maxconn = atoi(optarg);
@@ -1727,13 +1702,13 @@ void parse_params(int argc, char *argv[])

 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 	// do not need args from file anymore
-	cleanup_args();
+	cleanup_args(&params);
 #endif
 	if (bDry)
 	{
 		if (params.droproot)
 		{
-			if (!droproot(params.uid,params.gid,params.gid_count))
+			if (!droproot(params.uid,params.user,params.gid,params.gid_count))
 				exit_clean(1);
 #ifdef __linux__
 			if (!dropcaps())
@@ -2171,7 +2146,7 @@ int main(int argc, char *argv[])
 	}

 	set_ulimit();
-	if (params.droproot && !droproot(params.uid,params.gid,params.gid_count))
+	if (params.droproot && !droproot(params.uid,params.user,params.gid,params.gid_count))
 		goto exiterr;
 #ifdef __linux__
 	if (!dropcaps())
@@ -2215,6 +2190,6 @@ exiterr:
 	if (Fpid) fclose(Fpid);
 	redir_close();
 	for(i=0;i<=params.binds_last;i++) if (listen_fd[i]!=-1) close(listen_fd[i]);
-	cleanup_params();
+	cleanup_params(&params);
 	return exit_v;
 }