itycodes
/
convince
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix ordering of setgid and setuid

Browse Source 
It looks like the code to drop privileges may have been broken via
commit 37f0e1f. That commit reverted the correct order from #911, which
first drops the gid then the uid. If setuid is called first then the
target user may not have the ability to setgid.
master
Teddy Reed 5 years ago committed by Simon Ser
parent 0b709702c1
commit 31a83bd48d
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File

11
sway/main.c
Unescape View File

@ -186,12 +186,17 @@ static void log_kernel(void) {
static bool drop_permissions(void) { static bool drop_permissions(void) {
if (getuid() != geteuid() || getgid() != getegid()) { if (getuid() != geteuid() || getgid() != getegid()) {
if (setuid(getuid()) != 0 || setgid(getgid()) != 0) { // Set the gid and uid in the correct order.
sway_log(SWAY_ERROR, "Unable to drop root, refusing to start"); if (setgid(getgid()) != 0) {
sway_log(SWAY_ERROR, "Unable to drop root group, refusing to start");
return false;
}
if (setuid(getuid()) != 0) {
sway_log(SWAY_ERROR, "Unable to drop root user, refusing to start");
return false; return false;
} }
} }
if (setuid(0) != -1) { if (setgid(0) != -1 || setuid(0) != -1) {
sway_log(SWAY_ERROR, "Unable to drop root (we shouldn't be able to " sway_log(SWAY_ERROR, "Unable to drop root (we shouldn't be able to "
"restore it after setuid), refusing to start"); "restore it after setuid), refusing to start");
return false; return false;

Write Preview
Loading…
Cancel
Save