41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From 812f934e77700afedbf5e929b282f29a47b2d9c6 Mon Sep 17 00:00:00 2001
|
|
From: Samanta Navarro <ferivoz@riseup.net>
|
|
Date: Thu, 18 May 2023 11:56:17 +0000
|
|
Subject: [PATCH] process_prefix_flag: Drop privileges
|
|
|
|
Using --prefix in a setuid binary is quite dangerous. An unprivileged
|
|
user could prepare a custom shadow file in home directory. During a data
|
|
race the user could exchange directories with links which could lead to
|
|
exchange of shadow file in system's /etc directory.
|
|
|
|
This could be used for local privilege escalation.
|
|
|
|
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
|
|
---
|
|
libmisc/prefix_flag.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
|
|
index 56243f2e..d7acb9ca 100644
|
|
--- a/libmisc/prefix_flag.c
|
|
+++ b/libmisc/prefix_flag.c
|
|
@@ -85,6 +85,15 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
|
|
|
|
|
|
if (prefix != NULL) {
|
|
+ /* Drop privileges */
|
|
+ if ( (setregid (getgid (), getgid ()) != 0)
|
|
+ || (setreuid (getuid (), getuid ()) != 0)) {
|
|
+ fprintf (shadow_logfd,
|
|
+ _("%s: failed to drop privileges (%s)\n"),
|
|
+ Prog, strerror (errno));
|
|
+ exit (EXIT_FAILURE);
|
|
+ }
|
|
+
|
|
if ( prefix[0] == '\0' || !strcmp(prefix, "/"))
|
|
return ""; /* if prefix is "/" then we ignore the flag option */
|
|
/* should we prevent symbolic link from being used as a prefix? */
|
|
--
|
|
2.27.0
|
|
|