netdata now sets the supplementary groups of its user #115

diff --git a/src/daemon.c b/src/daemon.c
index 9dcf32f0ba6b7482c0840b29b405c4a43ba9d6aa..6b671bee1fa7a6f4b1ea7bed26576202e1ebe0b9 100644 (file)
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -10,6 +10,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <pwd.h>
+#include <grp.h>
 #include <pthread.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
@@ -85,6 +86,21 @@ int become_user(const char *username)
        uid_t uid = pw->pw_uid;
        gid_t gid = pw->pw_gid;
 
+       int ngroups =  sysconf(_SC_NGROUPS_MAX);
+       gid_t *supplementary_groups = NULL;
+       if(ngroups) {
+               supplementary_groups = malloc(sizeof(gid_t) * ngroups);
+               if(supplementary_groups) {
+                       if(getgrouplist(username, gid, supplementary_groups, &ngroups) == -1) {
+                               error("Cannot get supplementary groups of user '%s'.", username);
+                               free(supplementary_groups);
+                               supplementary_groups = NULL;
+                               ngroups = 0;
+                       }
+               }
+               else fatal("Cannot allocate memory for %d supplementary groups", ngroups);
+       }
+
        if(pidfile[0] && getuid() != uid) {
                // we are dropping privileges
                if(chown(pidfile, uid, gid) != 0)
@@ -102,6 +118,15 @@ int become_user(const char *username)
                pidfd = -1;
        }
 
+       if(supplementary_groups && ngroups) {
+               if(setgroups(ngroups, supplementary_groups) == -1)
+                       error("Cannot set supplementary groups for user '%s'", username);
+
+               free(supplementary_groups);
+               supplementary_groups = NULL;
+               ngroups = 0;
+       }
+
        if(setresgid(gid, gid, gid) != 0) {
                error("Cannot switch to user's %s group (gid: %d).", username, gid);
                return -1;