diff options
author | Samanta Navarro <ferivoz@riseup.net> | 2023-05-18 11:56:17 +0000 |
---|---|---|
committer | Iker Pedrosa <ikerpedrosam@gmail.com> | 2023-05-18 15:36:59 +0200 |
commit | 812f934e77700afedbf5e929b282f29a47b2d9c6 (patch) | |
tree | aa6d7626901c079f6e91de757ca7ee03f5c7c469 | |
parent | 1132b8923624b07183c2202c63c21ad4325ee5e8 (diff) |
process_prefix_flag: Drop privileges
Using --prefix in a setuid binary is quite dangerous. An unprivileged
user could prepare a custom shadow file in home directory. During a data
race the user could exchange directories with links which could lead to
exchange of shadow file in system's /etc directory.
This could be used for local privilege escalation.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
-rw-r--r-- | libmisc/prefix_flag.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c index 56243f2e..d7acb9ca 100644 --- a/libmisc/prefix_flag.c +++ b/libmisc/prefix_flag.c @@ -85,6 +85,15 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char ** if (prefix != NULL) { + /* Drop privileges */ + if ( (setregid (getgid (), getgid ()) != 0) + || (setreuid (getuid (), getuid ()) != 0)) { + fprintf (log_get_logfd(), + _("%s: failed to drop privileges (%s)\n"), + log_get_progname(), strerror (errno)); + exit (EXIT_FAILURE); + } + if ( prefix[0] == '\0' || !strcmp(prefix, "/")) return ""; /* if prefix is "/" then we ignore the flag option */ /* should we prevent symbolic link from being used as a prefix? */ |