Browse Source

DropPrivs: Also check for saved set-user-ID and set-group-ID

debian/1.8.y
Julian Andres Klode 8 years ago
parent
commit
550ab420d3
  1. 20
      apt-pkg/contrib/fileutl.cc
  2. 4
      buildlib/config.h.in
  3. 6
      configure.ac

20
apt-pkg/contrib/fileutl.cc

@ -2237,6 +2237,26 @@ bool DropPrivs()
if (geteuid() != pw->pw_uid)
return _error->Error("Could not switch effective user");
#ifdef HAVE_GETRESUID
uid_t ruid = 0;
uid_t euid = 0;
uid_t suid = 0;
if (getresuid(&ruid, &euid, &suid))
return _error->Errno("getresuid", "Could not get saved set-user-ID");
if (suid != pw->pw_uid)
return _error->Error("Could not switch saved set-user-ID");
#endif
#ifdef HAVE_GETRESGID
gid_t rgid = 0;
gid_t egid = 0;
gid_t sgid = 0;
if (getresgid(&rgid, &egid, &sgid))
return _error->Errno("getresuid", "Could not get saved set-group-ID");
if (sgid != pw->pw_gid)
return _error->Error("Could not switch saved set-group-ID");
#endif
/* TODO: Check saved uid/saved gid as well */
return true;
}

4
buildlib/config.h.in

@ -28,6 +28,10 @@
/* If there is no socklen_t, define this for the netdb shim */
#undef NEED_SOCKLEN_T_DEFINE
/* We need the getresuid() function */
#undef HAVE_GETRESUID
#undef HAVE_GETRESGID
/* Define to the size of the filesize containing structures */
#undef _FILE_OFFSET_BITS

6
configure.ac

@ -172,6 +172,12 @@ AC_EGREP_HEADER(h_errno, netdb.h, [AC_MSG_RESULT(normal)],
[AC_MSG_ERROR("not found.")])
])
dnl check for setuid checking function
AC_CHECK_FUNCS(getresuid getresgid)
AC_SUBST(HAVE_GETRESUID)
AC_SUBST(HAVE_GETRESGID)
dnl Check for doxygen
AC_PATH_PROG(DOXYGEN, doxygen)

Loading…
Cancel
Save