diff options
| author | Julian Andres Klode <jak@debian.org> | 2014-09-24 22:18:16 +0200 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2015-08-13 15:19:30 +0200 |
| commit | 5a3264396f9b167fa99fb6e375ae8b978d829a39 (patch) | |
| tree | 6c9055a3b03959df3ee6fb1a045eee6256fcba90 | |
| parent | 98cc7fd2c1d397623960baf69ae3cec04a87a23e (diff) | |
Use setresuid() and setresgid() where available
| -rw-r--r-- | apt-pkg/contrib/fileutl.cc | 16 | ||||
| -rw-r--r-- | buildlib/config.h.in | 4 | ||||
| -rw-r--r-- | configure.ac | 4 |
3 files changed, 19 insertions, 5 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index a6af27b00..1be782bac 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -2252,22 +2252,32 @@ bool DropPrivileges() /*{{{*/ return _error->Error("No user %s, can not drop rights", toUser.c_str()); // Do not change the order here, it might break things + // Get rid of all our supplementary groups first if (setgroups(1, &pw->pw_gid)) return _error->Errno("setgroups", "Failed to setgroups"); + // Now change the group ids to the new user +#ifdef HAVE_SETRESGID + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) + return _error->Errno("setresgid", "Failed to set new group ids"); +#else if (setegid(pw->pw_gid) != 0) return _error->Errno("setegid", "Failed to setegid"); if (setgid(pw->pw_gid) != 0) return _error->Errno("setgid", "Failed to setgid"); +#endif + // Change the user ids to the new user +#ifdef HAVE_SETRESUID + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) + return _error->Errno("setresuid", "Failed to set new user ids"); +#else if (setuid(pw->pw_uid) != 0) return _error->Errno("setuid", "Failed to setuid"); - - // the seteuid() is probably uneeded (at least thats what the linux - // man-page says about setuid(2)) but we cargo culted it anyway if (seteuid(pw->pw_uid) != 0) return _error->Errno("seteuid", "Failed to seteuid"); +#endif // Verify that the user has only a single group, and the correct one gid_t groups[1]; diff --git a/buildlib/config.h.in b/buildlib/config.h.in index 66ab33c2b..c6b1ee669 100644 --- a/buildlib/config.h.in +++ b/buildlib/config.h.in @@ -28,9 +28,11 @@ /* If there is no socklen_t, define this for the netdb shim */ #undef NEED_SOCKLEN_T_DEFINE -/* We need the getresuid() function */ +/* Check for getresuid() function and similar ones */ #undef HAVE_GETRESUID #undef HAVE_GETRESGID +#undef HAVE_SETRESUID +#undef HAVE_SETRESGID /* Define to the size of the filesize containing structures */ #undef _FILE_OFFSET_BITS diff --git a/configure.ac b/configure.ac index 2221833a1..feba7be61 100644 --- a/configure.ac +++ b/configure.ac @@ -174,9 +174,11 @@ AC_EGREP_HEADER(h_errno, netdb.h, [AC_MSG_RESULT(normal)], dnl check for setuid checking function -AC_CHECK_FUNCS(getresuid getresgid) +AC_CHECK_FUNCS(getresuid getresgid setresuid setresgid) AC_SUBST(HAVE_GETRESUID) AC_SUBST(HAVE_GETRESGID) +AC_SUBST(HAVE_SETRESUID) +AC_SUBST(HAVE_SETRESGID) dnl Check for doxygen AC_PATH_PROG(DOXYGEN, doxygen) |