Support for setuid with supplementary groups

[martinvonwittich]

I've configured my webdav-server-rs like this to allow authenticated access to user homes:

[[location]]
  route = [ "/*path" ]
  methods = [ "webdav-rw" ]
  auth = "true"
  handler = "filesystem"
  on_notfound = "return"
  setuid = true
  directory = "~"
  autoindex = false
  hide-symlinks = false
  case-insensitive = "false"

This works well, with one exception: the users have symlinks to the groups they're in in a subfolder "Groups":

martin.mein-iserv.de /home/martin/Groups # ll
insgesamt 0
lrwxrwxrwx 1 root martin 19 Feb 20  2020  Admins -> /group/admins/Files/
lrwxrwxrwx 1 root martin 24 Jul 19  2019  Datenschutz -> /group/datenschutz/Files/
lrwxrwxrwx 1 root martin 26 Feb 20  2020 'Domain Admins' -> /group/domain.admins/Files/
lrwxrwxrwx 1 root martin 24 Aug 22  2018  Moderatoren -> /group/moderatoren/Files/

The permissions of these groups look like this:

martin.mein-iserv.de ~ # ll -d /group/admins 
drwxr-s--x 4 admins admins 4,0K Jan  9  2018 /group/admins/

My user has access to this folder via a supplementary group:

martin.mein-iserv.de ~ # id martin
uid=1004(martin) gid=1004(martin) Gruppen=1004(martin),27(sudo),1001(domain.admins),1011(moderatoren),1000(admins),12165(datenschutz),100000(domain.users),3000008(builtin.users),3000000(administrators),3000004(deny.rodc.password.replication)

webdav-server-rs will neither list these symlinks nor allow access to them when I manually input the path:

[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == START REQUEST PropFind "/Groups/"
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == END REQUEST result OK
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == START REQUEST PropFind "/Groups/Admins/"
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == END REQUEST result OK
[2020-12-10T00:03:32Z ERROR webdav_handler::handle_props] read_dir error Forbidden
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == START REQUEST PropFind "/Groups/Admins"
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == END REQUEST result OK
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == START REQUEST PropFind "/Groups/Admins"
[2020-12-10T00:03:32Z DEBUG webdav_handler::davhandler] == END REQUEST result OK

If I understand the issue correctly, this is most probably due to the fact that webdav-server-rs doesn't set the supplementary groups of the user it is setuid'ing to. Sounds like this might be resolvable with initgroups, but so far I haven't been able to figure out how to adapt webdav-server-rs to use this.

[miquels]

Yes, you're right- it would involve adding setgroups code (actually, libc::SYS_setgroups) code in suid.rs. I'm looking at that right now.

[miquels]

The latest version in the repo now has support for this. You need to set the supplementary-groups option in the unix section to enable it:

[unix]
supplementary-groups = true

Please test :)

[florianjacob]

Works for me, thanks alot! 🥳

[martinvonwittich]

Thanks! The supplementary groups work now, e.g. when I bind-mount a group into my home:

martin.mein-iserv.de /home/martin/Groups2 # mkdir Admins
martin.mein-iserv.de /home/martin/Groups2 # mount --bind /group/admins/Files Admins
martin.mein-iserv.de /home/martin/Groups2 # ll -d Admins 
drwxrws--- 2 root admins 4,0K Sep 30  2019 Admins/
martin.mein-iserv.de /home/martin/Groups2 # mount|grep Admins
/dev/sda2 on /home/martin/Groups2/Admins type ext4 (rw,relatime,errors=remount-ro)

then I can access the contents in Caja in dav://martin.mein-iserv.de:4918/Groups2/Admins . The necessary configuration option supplementary-groups should probably be added to webdav-server.toml so it is obvious that the option exists.

But unfortunately I'm still having trouble with my symlinks:

martin.mein-iserv.de /home/martin/Groups # ll
insgesamt 0
lrwxrwxrwx 1 root martin 19 Feb 20  2020  Admins -> /group/admins/Files/
lrwxrwxrwx 1 root martin 24 Jul 19  2019  Datenschutz -> /group/datenschutz/Files/
lrwxrwxrwx 1 root martin 26 Feb 20  2020 'Domain Admins' -> /group/domain.admins/Files/
lrwxrwxrwx 1 root martin 24 Aug 22  2018  Moderatoren -> /group/moderatoren/Files/

These just don't show up in WebDAV; dav://martin.mein-iserv.de:4918/Groups is just empty.

Ah, but this probably isn't related to the supplementary groups at all, is it? I've tried a simple symlink that just points to another directory, and "src" also doesn't show up in WebDAV:

martin.mein-iserv.de /home/martin/Files # ll src dst -d
drwxrwsr-x 2 martin martin 4,0K Jan  7 21:58 dst/
lrwxrwxrwx 1 root   martin    3 Jan  7 21:58 src -> dst/