Invoke initgroups() iff we got enough privileges (apache#11869) (apac…

…he#11872) Follow up of apache#11855, that rendered unusable ATS as root when spawned via traffic_manager.
bneradt · Nov 21, 2024 · d4dda9b · d4dda9b
1 parent a8932cf
commit d4dda9b
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
@@ -156,8 +156,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
 #endif
 
   // Always repopulate the supplementary group list for the new user.
-  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
-    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
+    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+    }
   }
 
   switch (level) {