process_prefix_flag: Drop privileges

Using --prefix in a setuid binary is quite dangerous. An unprivileged user could prepare a custom shadow file in home directory. During a data race the user could exchange directories with links which could lead to exchange of shadow file in system's /etc directory. This could be used for local privilege escalation. Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-05-18 11:56:17 +00:00 · 2023-05-18 11:56:17 +00:00 · 812f934e77
parent 1132b89236
commit 812f934e77
1 changed files with 9 additions and 0 deletions
--- a/libmisc/prefix_flag.c
+++ b/libmisc/prefix_flag.c
@ -85,6 +85,15 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **


 	if (prefix != NULL) {
+		/* Drop privileges */
+		if (   (setregid (getgid (), getgid ()) != 0)
+		    || (setreuid (getuid (), getuid ()) != 0)) {
+			fprintf (log_get_logfd(),
+			         _("%s: failed to drop privileges (%s)\n"),
+			         log_get_progname(), strerror (errno));
+			exit (EXIT_FAILURE);
+		}
+
 		if ( prefix[0] == '\0' || !strcmp(prefix, "/"))
 			return ""; /* if prefix is "/" then we ignore the flag option */
 		/* should we prevent symbolic link from being used as a prefix? */