mirror of
https://github.com/beard7n/bsdports.git
synced 2026-04-10 02:21:15 +02:00
96 lines
3.0 KiB
C
96 lines
3.0 KiB
C
--- ./libgamin/gam_fork.c.orig 2007-07-04 16:36:48.000000000 +0300
|
|
+++ ./libgamin/gam_fork.c 2014-12-25 04:59:21.000000000 +0200
|
|
@@ -42,6 +42,78 @@
|
|
return NULL;
|
|
}
|
|
|
|
+#ifdef RUN_AS_EUID
|
|
+/**
|
|
+ * gamin_drop_privileges
|
|
+ *
|
|
+ * Attempt to drop privileges to another user and group before forking
|
|
+ * a copy of the gam server
|
|
+ *
|
|
+ * Return 0 in case of success or -1 in case of detected error.
|
|
+ */
|
|
+int
|
|
+gamin_drop_privileges(int to_uid, int to_gid)
|
|
+{
|
|
+ GAM_DEBUG(DEBUG_INFO, "Dropping privileges to %d:%d before forking server\n", to_uid, to_gid);
|
|
+
|
|
+ /* Get the current real user and group */
|
|
+ int from_uid = getuid();
|
|
+ int from_gid = getgid();
|
|
+
|
|
+ /* Make sure we were able to get the user and group values */
|
|
+ if ( from_uid == -1 || to_uid == -1 || from_gid == -1 || to_gid == -1 ) {
|
|
+ gam_error(DEBUG_INFO, "failed to get user or group info, unable to drop privileges\n");
|
|
+ return(-1);
|
|
+ }
|
|
+
|
|
+ /* Refuse to run setuid if it would escalate privileges */
|
|
+ if ( from_uid != 0 && to_uid == 0 )
|
|
+ {
|
|
+ gam_error(DEBUG_INFO, "refusing to escalate user privileges from=%d to=%d\n", from_uid, to_uid);
|
|
+ return(-1);
|
|
+ }
|
|
+
|
|
+ /* Refuse to run setgid if it would escalate privileges */
|
|
+ if ( from_gid != 0 && to_gid == 0 )
|
|
+ {
|
|
+ gam_error(DEBUG_INFO, "refusing to escalate group privileges from=%d to=%d\n", from_gid, to_gid);
|
|
+ return(-1);
|
|
+ }
|
|
+
|
|
+ /* Run setuid to drop privileges to the effective user */
|
|
+ if ( from_uid != to_uid ) {
|
|
+ GAM_DEBUG(DEBUG_INFO, "Attempting setuid from=%d to=%d\n", from_uid, to_uid);
|
|
+
|
|
+ /* run setuid and check for errors */
|
|
+ if (setuid(to_uid) == -1) {
|
|
+ gam_error(DEBUG_INFO, "failed to run setuid from=%d to=%d\n", from_uid, to_uid);
|
|
+ return(-1);
|
|
+ }
|
|
+ }
|
|
+ else {
|
|
+ GAM_DEBUG(DEBUG_INFO, "Already running as effective user, skipping setuid\n");
|
|
+ }
|
|
+
|
|
+ /* Run setgid to drop privileges to the effective group */
|
|
+ if ( from_gid != to_gid ) {
|
|
+ GAM_DEBUG(DEBUG_INFO, "Attempting setgid from=%d to=%d\n", from_gid, to_gid);
|
|
+
|
|
+ /* run setuid and check for errors */
|
|
+ if (setgid(to_gid) == -1) {
|
|
+ gam_error(DEBUG_INFO, "failed to run setgid from=%d to=%d\n", from_gid, to_gid);
|
|
+ return(-1);
|
|
+ }
|
|
+ }
|
|
+ else {
|
|
+ GAM_DEBUG(DEBUG_INFO, "Already running as effective group, skipping setgid\n");
|
|
+ }
|
|
+
|
|
+ GAM_DEBUG(DEBUG_INFO, "Succeeded in dropping privileges from %d:%d to %d:%d\n", from_uid, from_gid, to_uid, to_gid);
|
|
+
|
|
+ return(0);
|
|
+}
|
|
+#endif
|
|
+
|
|
/**
|
|
* gamin_fork_server:
|
|
* @fam_client_id: the client ID string to use
|
|
@@ -71,6 +143,13 @@
|
|
long open_max;
|
|
long i;
|
|
|
|
+#ifdef RUN_AS_EUID
|
|
+ /* Drop privileges to the current effective uid/gid and return on failure */
|
|
+ if(gamin_drop_privileges( geteuid(), getegid() ) == -1) {
|
|
+ return(-1);
|
|
+ }
|
|
+#endif
|
|
+
|
|
/* don't hold open fd opened from the client of the library */
|
|
open_max = sysconf (_SC_OPEN_MAX);
|
|
for (i = 0; i < open_max; i++)
|