From 37295f52bda468527f2a7cbc3aa1fafabb5e8068 Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Thu, 25 Mar 2021 10:06:27 +0100 Subject: Remove video group membership check and use file permissions and ownership instead MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- Makefile | 7 +++++-- adjbacklight.c | 44 -------------------------------------------- config.mk | 2 ++ 3 files changed, 7 insertions(+), 46 deletions(-) diff --git a/Makefile b/Makefile index f3b9f72..8cbdd23 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,10 @@ install: adjbacklight cp -- adjbacklight "$(DESTDIR)$(PREFIX)/bin" cp -- adjbacklight.1 "$(DESTDIR)$(MANPREFIX)/man1" cp -- LICENSE "$(DESTDIR)$(PREFIX)/share/licenses/adjbacklight" - chmod -- 4755 "$(DESTDIR)$(PREFIX)/bin/adjbacklight" + +post-install: + chown -- '0:$(VIDEO_GROUP)' "$(DESTDIR)$(PREFIX)/bin/adjbacklight" + chmod -- 4754 "$(DESTDIR)$(PREFIX)/bin/adjbacklight" uninstall: -rm -- "$(DESTDIR)$(PREFIX)/bin/adjbacklight" @@ -38,4 +41,4 @@ uninstall: clean: -rm -rf -- adjbacklight test *.o .testdir -.PHONY: all check install uninstall clean +.PHONY: all check install post-install uninstall clean diff --git a/adjbacklight.c b/adjbacklight.c index 6fa0066..80dd4a5 100644 --- a/adjbacklight.c +++ b/adjbacklight.c @@ -226,47 +226,6 @@ handle_device(const char *device, int get, int set, double adj, int inc, const c } -static void -check_permissions(void) -{ - long int ngroups_max; - gid_t *groups; - int ngroups; - struct group *videogrp = getgrnam("video"); - - if (!getuid()) - return; - - if (!videogrp && errno && errno != ENOENT && errno != ESRCH && errno != EPERM) { - /* Note, glibc sets errno to EIO if the group does not exist, - * this is the not the specified behavour by either POSIX or - * glibc, and it would be a security issue to treat it as OK. - * Additionally, EBADF is not treated as OK. */ - fprintf(stderr, "%s: getgrnam video: %s\n", argv0, strerror(errno)); - exit(1); - } else if (videogrp) { - ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; - if (ngroups_max < 0 || ngroups_max > INT_MAX - 1) { - fprintf(stderr, "%s: sysconf _SC_NGROUPS_MAX: %s\n", argv0, strerror(errno)); - exit(1); - } - groups = alloca((size_t)ngroups_max * sizeof(*groups)); - ngroups = getgroups((int)ngroups_max, groups); - if (ngroups < 0) { - fprintf(stderr, "%s: getgroups: %s\n", argv0, strerror(errno)); - exit(1); - } - while (ngroups--) - if (groups[ngroups] == videogrp->gr_gid) - break; - if (ngroups < 0) { - fprintf(stderr, "%s: only root and members of the group 'video' may run this command\n", argv0); - exit(1); - } - } -} - - static int parse_set_argument(const char *str, char *set_prefix, double *set_value, const char **set_suffix) { @@ -429,9 +388,6 @@ main(int argc, char *argv[]) if (set && parse_set_argument(set, &set_prefix, &set_value, &set_suffix)) usage(); - /* Check permissions (important because the program is installed with set-uid) */ - check_permissions(); - if (!get && !set) { isinteractive = isatty(STDIN_FILENO); if (isinteractive && init_terminal(&pid, &saved_stty)) diff --git a/config.mk b/config.mk index 6f50bbb..60571ad 100644 --- a/config.mk +++ b/config.mk @@ -1,6 +1,8 @@ PREFIX = /usr/local MANPREFIX = $(PREFIX)/share/man +VIDEO_GROUP = video + CCFLAGS = -std=c99 -Wall -Wextra -O2 CPPFLAGS = -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE=700 LDFLAGS = -s -- cgit v1.2.3-70-g09d2