permit root_child spawning if owned by 'admin' group

This commit also allows BusKill to launch the root_child process if it's owned by the 'admin' group (with gid=80). It appears that on some installs it gets owned by 'staff' and on others it gets owned by 'admin'. All users are already members of 'staff', so that's not a problem. But 'admin' is an even-more restrictive group, so it's actually safer to permit execution of a script as root that's owned by 'admin' than one that's owned by 'staff' This should help fix bug #77 * #77
BusKill · Feb 26, 2024 · 5a53577 · 5a53577
1 parent 7972b41
commit 5a53577
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/docs/attribution.rst b/docs/attribution.rst
@@ -62,3 +62,4 @@ The reader may be interested to investigate the following similar projects:
  * `pam_panic <https://github.com/pampanic/pam_panic>`_
  * `pam_party <https://github.com/x13a/pam-party>`_
  * `AirWatch <https://vandersecurity.com/airwatch>`_
+ * `swiftGuard <https://github.com/Lennolium/swiftGuard>`_
diff --git a/src/packages/buskill/__init__.py b/src/packages/buskill/__init__.py
@@ -680,8 +680,8 @@ def spawn_root_child(self):
 					return False
 
 				# verify the file is owned by group = root (or current group)
-				if group != 0 and group != os.getgid():
-					msg = 'ERROR: root_child is not owned by gid=0 nor your group. Refusing to spawn script as root!'
+				if group != 0 and group != 80 and group != os.getgid():
+					msg = 'ERROR: root_child is not owned by gid=0, admin, nor your group. Refusing to spawn script as root!'
 					print( msg ); logger.error( msg )
 					return False