libmisc: Use safer chroot/chdir sequence

OpenSSH and coreutils' chroot call chroot first and then chdir. Doing it
this way is a bit safer because otherwise something could happen between
chdir and chroot to the specified path (like exchange of links) so the
working directory would not end up within the chroot environment.

This is a purely defensive measure.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
This commit is contained in:
Samanta Navarro 2023-05-23 11:57:50 +00:00 committed by Serge Hallyn
parent a116e20c76
commit 6491fef1e0
2 changed files with 6 additions and 6 deletions

View File

@ -91,18 +91,18 @@ static void change_root (const char* newroot)
exit (E_BAD_ARG); exit (E_BAD_ARG);
} }
if (chdir (newroot) != 0) {
fprintf(log_get_logfd(),
_("%s: cannot chdir to chroot directory %s: %s\n"),
log_get_progname(), newroot, strerror (errno));
exit (E_BAD_ARG);
}
if (chroot (newroot) != 0) { if (chroot (newroot) != 0) {
fprintf(log_get_logfd(), fprintf(log_get_logfd(),
_("%s: unable to chroot to directory %s: %s\n"), _("%s: unable to chroot to directory %s: %s\n"),
log_get_progname(), newroot, strerror (errno)); log_get_progname(), newroot, strerror (errno));
exit (E_BAD_ARG); exit (E_BAD_ARG);
} }
if (chdir ("/") != 0) {
fprintf(log_get_logfd(),
_("%s: cannot chdir in chroot directory %s: %s\n"),
log_get_progname(), newroot, strerror (errno));
exit (E_BAD_ARG);
}
} }

View File

@ -57,8 +57,8 @@ void subsystem (const struct passwd *pw)
* must be able to change into it. * must be able to change into it.
*/ */
if ( (chdir (pw->pw_dir) != 0) if ( (chroot (pw->pw_dir) != 0)
|| (chroot (pw->pw_dir) != 0)) { || (chdir ("/") != 0)) {
(void) printf (_("Can't change root directory to '%s'\n"), (void) printf (_("Can't change root directory to '%s'\n"),
pw->pw_dir); pw->pw_dir);
SYSLOG ((LOG_WARN, NO_SUBROOT2, pw->pw_dir, pw->pw_name)); SYSLOG ((LOG_WARN, NO_SUBROOT2, pw->pw_dir, pw->pw_name));